Introduction

In this blog we are going to discuss the new KeyOS FairPlay Import tool which enables faster deployments for FairPlay DRM as part of your KeyOS MultiKey Services. 

1.1. Terms and Definitions

• Application Secret Key ( ASk ) - is a secret value which is used to secure the license acquisition process. It is provided in the form of a 32 character long hexadecimal string. For example: 6b53443fbe9e4b42b198bb9b8374fe8e. It may also start with the 0x symbol, for example 0x6b53443fbe9e4b42b198bb9b8374fe8e.

• FairPlay Streaming Certificate ( FPS Certificate ) - is a non-secret certificate which has .der or .cer extension and contains binary certificate data including your company name, signed by Apple. This certificate is publicly available after deployment.
• FairPlay Streaming Certificate's Private key - is an RSA key which you generate as a first step to acquiring the FPS Certificate. It has the .pem extension and contains a base-64-encoded private RSA key and can be either in plain or encrypted form. When you generate your RSA keypair, you will be as asked to protect your private key with a passphrase. It is recommended to do so to additionally protect the key. Please, remember the passphrase as you will need it in order to import your data into the KeyOS Console.
  
  Note: Please do not confuse this FairPlay Streaming Certificate's Private key with BuyDRM's Authentication XML RSA key used for signing and authorizing end-user requests with additional license playback and expiration policies.
  

2. Getting the required SDK, certificate and ASk from Apple

In order to use FairPlay DRM with your KeyOS MultiKey Service, you will need to securely provide the following components to the BuyDRM Support Team via the KeyOS Console: 

• FairPlay Streaming Certificate
• FairPlay Streaming Certificate's Private key
• Password / passphrase used during private key's encryption  (if encrypted ).
• Application Secret key ( ASk )

These components must be conveyed in a secure manner to BuyDRM Support Team via the KeyOS Console in the process described in the diagram below.

Figure 1. Exchanging required information with Apple and BuyDRM.

As shown in the diagram above, you will start the process by contacting Apple to get information regarding obtaining a FairPlay Streaming Certificate (FPS Certificate), the FairPlay Streaming Certificate’s Private key and the Application Secret key (ASk). These components comprise your FPS Deployment package. More details about Fairplay DRM are available.

Note: Apple will provide you with step-by-step instructions on how to generate the required information and how upload it into the Apple developer account. The information below augments those instructions.

In order to get your FPS Certificate, you will be asked to generate

• A Pair of RSA keys that will include the private and the public RSA key. You will be asked to protect your private key with a passphrase. Please, do so to increase security. Please, remember the passphrase as you will need it later when importing data into the KeyOS Console.
• The Certificate Signing Request (CSR).

With your newly generated Certificate Signing Request (CSR) you can upload the request through the Apple developer portal, receive your team's unique Application Secret Key (ASk), and download your FPS certificate. In order to do that, please:

• Ask your Team Agent to log into Apple developer account and request a new FairPlay Streaming Certificate though a Certificates section.
• Upload the CSR when asked through an Apple developer account.
• Write down your ASK and store in a safe location. You will need it later when importing data into the KeyOS Console.
• When asked for a 32-character key, enter your ASK into provided field(s).
• Download your FPS Certificate. ( Make sure to save a backup copy of your private and public keys in a safe place. )

After the above steps, you should have the following:

• FPS Certificate which you have downloaded from your Apple developer account.
• Private key which you have generated as the first step.
• Passphrase for the private key.
• ASK

3. Importing data into KeyOS

Note: In order to use the import tool, please, use the Chrome or Safari browsers.. Scripts used on the page use some features that are unsupported by IE browsers. To begin the process login to your KeyOS Account via the KeyOS Console.

Previously, we asked our customers to securely provide us with the FPS Certificate, the Private Key and its passphrase and the ASK in a PGP encrypted archive using a KeyOS Support Ticket. Although this is still possible, we encourage you to use the KeyOS FPS Components Import Tool moving forward. In order to import your data into the system, all you need to do is fill in the form in the KeyOS Console.

Figure 2. KeyOS FPS Certificate Import Tool

The KeyOS FPS Components Import Tool is located in your KeyOS Account at www.keyos.com under "FPS Components -> Import DRM Components." In order to import a new FPS certificate:

1. Click on the "+" sign in the upper right corner next to the refresh icon.
2. Select (or enter manually) the file which contains your ASK. The ASK is a 32-character hex string. If the ASK starts with "0x", it will be a 34-character string which is also fine.
3. Select your FPS Certificate which usually has a .cer or .der extension.
4. Select (or enter manually) the FPS Certificate's Private Key which usually has a .pem extension and is either passphrase protected or not. If the key is passphrase protected, it will contain the Proc-Type: 4, ENCRYPTED in its body and you will be asked to enter your passphrase below the key.
5. Enter your passphrase if asked.
6. Click import.

If there were no errors, you will see the message below for a successful import:

Figure 3. KeyOS FPS Components Import Tool Success Message

The import itself may take some time and once the data was provisioned, you will see a ticket created under your account in which we will provide you with information about how to setup your playback clients in order to successfully acquire FairPlay DRM license keys from the KeyOS MultiKey Licensing API.

Note: In case you have used the passphrase to encrypt your private key during its generation but are not willing to share this passphrase with a third-party for  confidentiality reasons, you can use following OpenSSL command to decrypt previously encrypted key on your side and then submit to KeyOS a plain       ( unencrypted ) version of the FairPlay Streaming Certificate's Private key (replace file names below with the file name of your private key):

openssl.exe rsa -in encrypted_fp_key_.pem -out plain_fp_key.pem

Note: The key must still be provided in a protected way I.E, in a PGP-protected archive or it must be PGP-protected itself to save it from being stolen and used by an unauthorized party.

3.1. If you can't use the FPS Components Import Tool

We encourage you to use the FPS Certificate Import Tool available in your KeyOS Console. It is secure and will save you time especially if you don't know how to apply PGP encryption to files. The KeyOS RSA public key which you may use to encrypt the content is available in your KeyOS Account. In the KeyOS Wiki search "Public Key" for this KeyOS RSA public key and more info on both the manual and the automated import methods we support.

But, if, for some reason, you prefer the manual method please, put the three components below Into an archive and apply PGP encryption to the archive using your favorite Open PGP compliant tool.

(NOTE: BuyDRM will continue supporting the "manual import method" for FairPlay DRM Components for another 180 days before phasing it out entirely.)

1. FPS Certificate
2. FPS Certificate's Private Key
3. Private Key's passphrase (if you have protected your private key with one. If you don't wish to provide it for security reasons, see section 3 for instructions about how to export the private key w/o the passphrase)
4. ASK
   
   
   To securely deliver the FairPlay DRM components archive to BuyDRM:
   
   
   1. Customer should have all FairPlay components inside an archive which is protected with PGP encryption using the public key below:
   
   -----BEGIN PGP PUBLIC KEY BLOCK-----
   Version: GnuPG v2mQENBFggr1IBCADMHdAixprMj++f8c81aIvO3eOVCnIpufGgl9KWb7wNgoycAStgVhfJ1uTbNSRP6+B2ux0RmePOX9BZO2eIz+DPEX0qJ3l9zBiU/rjIj61I+CvmUsGTH94DR2rAh+jSUbWQ2eJuJkd3tSO9Re+Wg6FNBwqR05nX/pD1O4/VWNrRrXNSeyouZewx4Uvn/YqPQTP9tzQO6Ux7gi/Xc5cCTOwvKr7vJdtYI02wrDY0fYBZXTlCNS9unR4VnIuALV67W/+L99Wcn+b67i07QLBqaw0uC/7niZzWoHUmnQ+yLBpeeEo46SGYXDWoNfUsz3zpI8F5I/cEynfuEB3+qYlF80UBABEBAAG0WkJ1eURSTSAoQ2VydGlmaWNhdGUgZm9yIHNlY3VyZWx5IHN1Ym1pdHRpbmcgc2Vuc2l0aXZlIGRhdGEgdG8gQnV5RFJNKSA8c3VwcG9ydEBidXlkcm0uY29tPokBOQQTAQgAIwUCWCCvUgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEC682gtiMKxa0P4H/05e9linfjchk5IS5kl0ZB4PsWYrEAGjkpxO08wkqqagPxXO97QPuyOAYE2u0st53AP9BzacviiwFFyO10E/BpWH+l1keSfaI0d1DH59n2pythejAF5I9imwDu3WqiwjRwSGYl2AYj1yCWsyUWojL5CgyZc//Jpf+eq/ngvS8Kd2kS6vabEuEq60gC6Os9isRDg2Jefa3CBrQ5tvOK052d6Rx8eWWS5dlrUnVXgAZ29QA6KNATrOJRmFxCSFHFo3JsANspsctDubH481BA241Wb4IVD8AWuay1EcpZyhFhZy9SWJ2mvCZB4vAgXu8KBLYsDZpjP6sbkMD+S1oW9OhTW5AQ0EWCCvUgEIAJ0o6eG16WnRgvyTVRT53Uf7MXeaWjkzUbEmKqPqAA9wQAVFnfKr3J0u4OvMDsiN+aFwOs/opkIhvuM/5VBF7HLqUqL6uRx6Vb2ia2dsk1GbHCG4RV6X+B0gbbKpByYCg/jefYhJsOS3Vw8nu7EofqRTr6/0NWa1ddCxJ+vDsC+fH11Br3JM3ngip64jCQUsRH/TqYlGQ7Ere3to9DElSlFBqNeyjKFbuvyAuELh8MEH7GvaS004hPqtAXH0yyTk4HIMTtUAQSpkv5SwuFVJVD4BHkXxgNJ53ri1a+nzXz+4gk3yvD/zxNyv7HUZE9zM/li2CfkJUqOTOYdiyGU22okAEQEAAYkBHwQYAQgACQUCWCCvUgIbDAAKCRAuvNoLYjCsWt6+CACh412gRYjpt8yI0DpVC5bdmrLcCiCnCybT/XRkgzg/OS8Hr3MXKVGzeIQCwwQCCQuMnOA7Q9pWndFJtgaD9aSwp/0NQw+KrBGZhSaG5+aXauUGnGVE1LZ3B7zboo1/iyFRNm99/5cHzZaI4O+++Pb3v7/JSyTjM+7x+kwU1XyWX51vJxhic1DNZ/W4S/hk4wxWE/lS+YqhT6mn0A1aDX89PQpg6ATRBjWHWn6OY1RaxqSzgd2QJ1pBMTY6Fj5WX7JPEuDRAOKGcAaq7/f6HYNm3273zwa74tt6XuRER1XrK257WR4luVqdqMv2SkB71WklehBsnQw3mqMxdOu/aDz+=qD5J
   -----END PGP PUBLIC KEY BLOCK-----
   
   
   2. There are two options  to provide the PGP protected archive to BuyDRM:
5. You can email the archive directly to the BuyDRM Support Team. Search the KeyOS Wiki for "FairPlay DRM Components Email" 
6. Or encrypted archive can be uploaded via the KeyOS Support System inside a new Ticket under the "Support" section of your KeyOS Console account.