Support AES-128 on HLS

[avelad]

This it's a request feature for support AES-128 on HLS. Is it possible support it?

Sample stream:
https://playertest.longtailvideo.com/adaptive/oceans_aes/oceans_aes.m3u8

Now, I get: HLS_REQUIRED_ATTRIBUTE_MISSING (KEYFORMAT)

[ismena]

@avelad I am under impression that AES-128 on HLS implies FairPlay. (Please correct me if I'm mistaken).
If that's the case, we have an issue about adding FairPlay support: #382. (You can take a look at the comments there to find out how it's going and what kind of complications we ran into with this).

If that's not related to FairPlay, let me know, we'll treat this separately!

[avelad]

It's a very simple mechanism. Each segement is encrypted with a key, for get this key only it's necessary get the response of license request of URI.

In the initial sample:

#EXT-X-KEY:METHOD=AES-128,URI="oceans.key"
#EXTINF:11, no desc
oceans_aes-audio=65000-video=236000-1.ts

The response of "oceans.key" is "õq¿ìý�¹­°\æú��ý�"
With this key, you can descrypt the segments.

A interesting article about that:
https://www.theoplayer.com/blog/content-protection-for-hls-with-aes-128-encryption

Sample:
https://tools.ietf.org/html/draft-pantos-http-live-streaming-13#section-8.4

[ismena]

Ok, let us take a look and see if we can make it work!

I'm adding this to the backlog since it requires investigation which makes me hesitant about scheduling it for 2.2. @joeyparrish please feel free to override me on this!

[TheModMaker]

This looks like it could be implemented using clearkey. But there is a problem. AFAIK, all clearkey implementations use AES CTR for decryption, while HLS encryption uses AES CBC. Even if the browser supported CBC, there is no way in EME to pass the encryption scheme or the IV. If you are using Widevine encryption, this info is passed in the init data, but clearkey init data doesn't support these extra fields.

See #358 for a similar situation using DASH.

[joeyparrish]

If the keys are in the clear anyway, we could look into WebCrypto APIs: http://caniuse.com/#feat=cryptography

[DiegoZurita]

Is there any workaround to use AES-128 HLS encrypted?

[avelad]

I found that videojs uses https://github.com/videojs/aes-decrypter

s it possible to use it like mux.js?

[TheModMaker]

@avelad We probably wouldn't need that since we can just use the WebCrypto APIs to decrypt the content. What we could do is just query that URL and get the key, then use that with WebCrypto to decrypt the data before passing to MediaSource. I think AES-128 encrypts everything, so we might not even have to parse the container data.

[elv-peter]

I ran into this problem as well. You can easily generate a test with Bento4:

mp4hls --encryption-key 37d7ad30b2a8e801864b023e330c4b02 -o test --output-encryption-key --exec-dir=/usr/local/Cellar/bento4/1.5.1-628/bin trailer_1080p.mov

Safari, VLC, and videojs are all able to play it. Shaka gives me HLS_COULD_NOT_PARSE_SEGMENT_START_TIME (code 4030). If you decide not to add this feature, perhaps at least check for EXT-X-KEY in the manifest and output a more informative error message like "AES not supported"?

[joeyparrish]

Parsing of segment start times is something we do now, but we could probably avoid in many cases. That is something we're planning for a future release, likely v2.6 or v2.7.

Aside from that, though, you're right. We could probably detect and reject AES-128 content with a meaningful error code instead of failing to parse it.

[kevinscroggins-youi]

@joeyparrish @TheModMaker Any updates on when this feature might be implemented? Thank you!

[joeyparrish]

No, it's not scheduled yet. But we are always willing to accept contributions from the community, so please feel free to discuss design and/or work on a PR if this is important to you. Thanks!

[anuragkalia]

I ran into this issue and so will need to add support for it, I think. Will keep it posted here if I run into some problem.

[kakyleung]

What's the conclusion about this? Does Shaka packager support AES-128 method ?

[willkk]

What's the conclusion about this? Does Shaka packager support AES-128 method ?

Obviously, No!

[wjywbs]

@avelad Sure, I created PR #3880
@hiren3897 Yes, I used <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/mux.min.js"></script>

[hiren3897]

Hello @wjywbs @theodab
Can we have the estimated time for the work of this feature?

Thanks

[joeyparrish]

There's no estimate available right now, because nobody on the Shaka team is working on this right now.

It will become a higher priority for us later this year, as we need this feature in Shaka to fully deprecate another player. In the meantime, community contributions are very welcome! I just exchanged messages with someone on Slack who wants to take over and improve the existing PR.