Interaction with Widevine

UDRM-Widevine Ecosystem

The diagram below illustrates the available components within the “UDRM – Widevine” ecosystem.

In the Google Widevine terminology, the SmartLabs UDRM is a License Proxy.

The LockBox, Keysmith, OEMCrypto components are specific to device integration.

Content Encryption Process

1. The entry of the content item is stored in the UDRM DB.
2. The keys for the content decryption are stored in the UDRM DB in encrypted or non-encrypted form (controlled by the UDRM configuration option keyEncryptionSeed).
3. The playlist.mpd with included PSSH (Protection System Specific Header) is generated.

Upon that, the external Widevine License Service is not polled — all described encryption processes are performed by UDRM.

Content Decryption Process

1. The UDRM stores URL and keys for accessing the Widevine Licensing Service. These URL and keys are unique for each customer (in case of UDRM — for SmartLabs).
2. The media player requests the UDRM using the HTTPS POST request. This request contains data from the playlist.mpd and has a special format specified by Widevine (a bite payload, including PSSH and content_id).
3. Then there are 2 possible options:
   • With device authorization: The media player requests the UDRM via HTTPS  with device authorization in the middleware (i.e. SmartTUBE SDP):
   • The HTTPS request passes the header X-UDRM-Token or cookie udrm-token — the token generated by the middleware. This token contains the following data fields: clientId + / + tokenAssetId + / + expirationDuration + / + signer + / + hexSignatureStr
   • The signature is calculated for the token.
   • If the calculated signature and the signature received along with the token match, the device becomes authorized.
   • UDRM requests the Widevine License Service (see below).
   • Without device authorization: The media player requests the UDRM via HTTPS without device authorization in the middleware:
   • The UDRM requests the Widevine License Service (see below). No additional steps are performed.

4. Upon receiving the content_id the UDRM searches for the content and its keys. Encrypted keys are decrypted.
5. UDRM generates the request of the format specified by Widevine. This request contains data about media player, content keys, PSSH, and so on.
6. Widevine License Service responds whether the content watching is allowed and, in case of a successful response, gives a certificate (byte response).
7. UDRM passes the certificate to the media player for the content playback.

Features of Interaction with the Go3 Content Provider

When interacting with the content of the Go3 provider, a separate module is used — UDRM-GO3-WV. This module has a special workflow for content decryption, which looks as described below.

1. The UDRM stores URL and login to access the Go3 server.
   The UDRM’s config file contains the options apiAuth and authBasicPass responsible for secure accessing to the Go3 API.
2. The media player requests the UDRM-GO3-WV module using the HTTPS GET or POST request. This request contains data from the playlist.mpd, including PAYLOAD (PSSH) and content identifier (extEncInfo).
3. The UDRM-GO3-WV module performs authorization on the Go3 server and passes the PAYLOAD and extEncInfo.
4. Upon receiving a response from the Go3 server, the UDRM-GO3-WV module passes it back to media player.