Apple FairPlay 许可要求和配置Apple FairPlay license requirements and configuration

媒体服务徽标 v3media services logo v3

使用 Azure 媒体服务可通过 Apple FairPlay (AES-128 CBC) 加密 HLS 内容 。Azure Media Services enables you to encrypt your HLS content with Apple FairPlay (AES-128 CBC). 媒体服务还提供用于交付 FairPlay 许可证的服务。Media Services also provides a service for delivering FairPlay licenses. 当播放器尝试播放受 FairPlay 保护的内容时,将向许可证交付服务发送请求以获取许可证。When a player tries to play your FairPlay-protected content, a request is sent to the license delivery service to obtain a license. 如果许可证服务批准了该请求,则会颁发该许可证,该许可证将发送到客户端,并用来解密和播放指定的内容。If the license service approves the request, it issues the license that is sent to the client and is used to decrypt and play the specified content.

媒体服务还提供可用于配置 FairPlay 许可证的 API。Media Services also provides APIs that you can use to configure your FairPlay licenses. 本主题讨论 FairPlay 许可证要求,并演示如何使用媒体服务 API 配置 FairPlay 许可证 。This topic discusses FairPlay license requirements and demonstrates how you can configure a FairPlay license using Media Services APIs.


使用媒体服务通过 Apple FairPlay 加密 HLS 内容并使用媒体服务交付 FairPlay 许可证时,必需完成以下各项 :The following are required when using Media Services to encrypt your HLS content with Apple FairPlay and use Media Services to deliver FairPlay licenses:

  • 注册 Apple 开发计划Sign up with Apple Development Program.

  • Apple 要求内容所有者获取部署包Apple requires the content owner to obtain the deployment package. 说明已使用媒体服务实现密钥安全模块 (KSM),以及正在请求最终 FPS 包。State that you already implemented Key Security Module (KSM) with Media Services, and that you are requesting the final FPS package. 最终 FPS 包中有如何生成证书和获取应用程序密钥 (ASK) 的说明。There are instructions in the final FPS package to generate certification and obtain the Application Secret Key (ASK). 可使用 ASK 配置 FairPlay。You use ASK to configure FairPlay.

  • 必须在媒体服务密钥/许可证交付端上设置以下各项:The following things must be set on Media Services key/license delivery side:

    • 应用证书 (AC) :这是一个包含私钥的 .pfx 文件。App Cert (AC): This is a .pfx file that contains the private key. 创建此文件,并使用密码对其进行加密。You create this file and encrypt it with a password. .pfx 文件应采用 Base64 格式。The .pfx file should be in Base64 format.

      以下步骤介绍如何为 FairPlay 生成 .pfx 证书文件:The following steps describe how to generate a .pfx certificate file for FairPlay:

      1. 安装 OpenSSL。Install OpenSSL from

        转到 Apple 提供的 FairPlay 证书和其他文件所在的文件夹。Go to the folder where the FairPlay certificate and other files delivered by Apple are.

      2. 从命令行运行以下命令。Run the following command from the command line. 这会将 .cer 文件转换为 .pem 文件。This converts the .cer file to a .pem file.

        "C:\OpenSSL-Win32\bin\openssl.exe" x509 -inform der -in FairPlay.cer -out FairPlay-out.pem"C:\OpenSSL-Win32\bin\openssl.exe" x509 -inform der -in FairPlay.cer -out FairPlay-out.pem

      3. 从命令行运行以下命令。Run the following command from the command line. 这会将 .pem 文件转换为包含私钥的 .pfx 文件。This converts the .pem file to a .pfx file with the private key. 然后 OpenSSL 会要求提供 .pfx 文件的密码。The password for the .pfx file is then asked by OpenSSL.

        "C:\OpenSSL-Win32\bin\openssl.exe" pkcs12 -export -out FairPlay-out.pfx -inkey privatekey.pem -in FairPlay-out.pem -passin file:privatekey-pem-pass.txt"C:\OpenSSL-Win32\bin\openssl.exe" pkcs12 -export -out FairPlay-out.pfx -inkey privatekey.pem -in FairPlay-out.pem -passin file:privatekey-pem-pass.txt

    • 应用证书密码:用于创建 .pfx 文件的密码。App Cert password: The password for creating the .pfx file.

    • ASK:使用 Apple 开发人员门户生成证书时会收到此密钥。ASK: This key is received when you generate the certification by using the Apple Developer portal. 每个开发团队都会收到唯一的 ASK。Each development team receives a unique ASK. 请保存一份 ASK 副本,并将其存储在安全位置。Save a copy of the ASK, and store it in a safe place. 需要将 ASK 配置为媒体服务的 FairPlayAsk。You need to configure ASK as FairPlayAsk with Media Services.

  • 以下事项必须通过 FPS 客户端来设置:The following things must be set by the FPS client side:

    • 应用证书 (AC) :这是一个包含公钥的 .cer/.der 文件,操作系统使用它来加密某些负载。App Cert (AC): This is a .cer/.der file that contains the public key, which the operating system uses to encrypt some payload. 媒体服务需要了解它,因为播放器需要它。Media Services needs to know about it because it is required by the player. 密钥传送服务使用相应的私钥对其进行解密。The key delivery service decrypts it using the corresponding private key.
  • 要播放 FairPlay 加密的流,需要先获取实际 ASK,然后生成实际证书。To play back a FairPlay encrypted stream, get a real ASK first, and then generate a real certificate. 该过程将创建所有三个部分:That process creates all three parts:

    • .der 文件.der file
    • .pfx 文件.pfx file
    • .pfx 的密码password for the .pfx


在打包或密钥交付期间,Azure 媒体服务不会检查证书的到期日期。Azure Media Services doesn't check the certificate expiration date during packaging or key delivery. 证书到期后,它将继续工作。It will continue to work after the certificate expires.

FairPlay 和播放器应用FairPlay and player apps

使用 Apple FairPlay 对内容进行加密时,各视频和音频示例都使用 AES-128 CBC 模式进行加密********。When your content is encrypted with Apple FairPlay, the individual video and audio samples are encrypted by using the AES-128 CBC mode. FairPlay 流式处理 (FPS) 集成到设备操作系统,iOS 和 Apple TV 本身支持这项功能。FairPlay Streaming (FPS) is integrated into the device operating systems, with native support on iOS and Apple TV. OS X 上的 Safari 使用加密媒体扩展 (EME) 接口支持启用 FPS。Safari on OS X enables FPS by using the Encrypted Media Extensions (EME) interface support.

Azure Media Player 还支持 FairPlay 播放。Azure Media Player also supports FairPlay playback.

可以通过使用 iOS SDK 开发自己的播放器应用。You can develop your own player apps by using the iOS SDK. 若要能够播放 FairPlay 内容,必须实现许可证交换协议。To be able to play FairPlay content, you have to implement the license exchange protocol. 此协议不由 Apple 指定。This protocol is not specified by Apple. 而是取决于每个应用发送密钥传送请求的方式。It is up to each app how to send key delivery requests. 媒体服务 FairPlay 密钥传送服务需要 SPC 为采用以下形式的 www-form-url 编码后消息:The Media Services FairPlay key delivery service expects the SPC to come as a www-form-url encoded post message, in the following form:

spc=<Base64 encoded SPC>

FairPlay 配置 .NET 示例FairPlay configuration .NET example

可使用媒体服务 API 来配置 FairPlay 许可证。You can use Media Services API to configure FairPlay licenses. 当播放器尝试播放受 FairPlay 保护的内容时,将向许可证交付服务发送请求以获取许可证。When the player tries to play your FairPlay-protected content, a request is sent to the license delivery service to obtain the license. 如果许可证服务批准了请求,则该服务将颁发许可证。If the license service approves the request, the service issues the license. 许可证将被发送到客户端,并用于解密和播放指定的内容。It's sent to the client and is used to decrypt and play the specified content.


通常,可能只需配置一次 FairPlay 策略选项,因为仅有一套证书和 ASK。Usually, you would want to configure FairPlay policy options only once, because you will only have one set of a certification and an ASK.

以下示例使用媒体服务 .NET SDK 配置许可证。The following example uses Media Services .NET SDK to configure the license.

private static ContentKeyPolicyFairPlayConfiguration ConfigureFairPlayPolicyOptions()

    string askHex = "";
    string FairPlayPfxPassword = "";

    var appCert = new X509Certificate2("FairPlayPfxPath", FairPlayPfxPassword, X509KeyStorageFlags.Exportable);

    byte[] askBytes = Enumerable
        .Range(0, askHex.Length)
        .Where(x => x % 2 == 0)
        .Select(x => Convert.ToByte(askHex.Substring(x, 2), 16))

    ContentKeyPolicyFairPlayConfiguration fairPlayConfiguration =
    new ContentKeyPolicyFairPlayConfiguration
        Ask = askBytes,
        FairPlayPfx =
                Convert.ToBase64String(appCert.Export(X509ContentType.Pfx, FairPlayPfxPassword)),
        FairPlayPfxPassword = FairPlayPfxPassword,
        RentalAndLeaseKeyType =
        RentalDuration = 2249 // in seconds

    return fairPlayConfiguration;

后续步骤Next steps

了解如何使用 DRM 提供保护Check out how to protect with DRM