Shaka-player: [UAT license server bug] Widevine contents fail in demo app with Chrome Beta 58 and Canary 59

It appears that the license server is having intermittent failures. The failure seems to be triggered by the service certificate requests being sent by Chrome 58+. For now, I am marking this as "external bug" until we have more information.

I have this information about this problem:

This is a special update to provide early notification of upcoming changes to the Widevine CDM client scheduled to ship with Chrome 58. This update is live and ready to test on the Chrome beta channel.

Please contact us for any issues.

_What’s Changing_
Chrome 58 will introduce a new CDM security feature known as Verified Media Path (VMP). VMP requires the use of a service certificate.

Prior to Chrome 58, service certificate requests were only made when certain EME options were enabled (e.g. persistentState, distinictiveIdentifier).

With the addition of VMP in Chrome 58, a service certificate is now required. If a service certificate does not exist, a certificate request will be initiated prior to every license request.

_When?_
Scheduled for April 25 2017
_Which Platforms?_
Chrome on Desktop and Android starting from version 58
_What do I need to do?_

_License Proxy_
A service certificate request will precede each license request.
As a result, expect an increase of traffic at your proxy service.

Service certificate requests are smaller in size (2-4 bytes) compared to a license request and must be forwarded as-is (unchanged) to the Widevine Cloud License Service.

_License Server SDK_
Please ensure that the SDK is initialized with the service certificate as documented on page 7 in our SDK API doc (for Java, it's in WvPLEnvironment.setServiceCertificate).

The service certificate returned to the client will match the service certificate initialized by the SDK. These service certificates must match to allow the browser client to accept licenses from the SDK.

_Chrome Browser_
The browser player application must set the service certificate to prevent a certificate request for each CDM session.

Setting the service certificate to the application can be accomplished by using the EME’s setServiceCertificate API with the following considerations:

setServiceCertificate should be called after the MediaKeys object is created, but before creating sessions with mediaKeys.createSession(...).
The argument type is a BufferSource, which means either an ArrayBuffer or a Uint8Array will be accepted. A hex-encoded or base64-encoded string will not be accepted.
The method returns a Promise that is resolved or rejected when the operation is complete. Sessions should be created after the Promise resolves.

_Shaka Player_
Shaka Player already supports calling this method at
https://github.com/google/shaka-player/blob/ac46792/lib/media/drm_engine.js#L261

An example on how Shaka Player can be configured to set service certificate is as follows:

var serverCertificate = new Uint8Array(...);
player.configure({
  drm: {
    advanced: {
      'com.widevine.alpha': {
        serverCertificate: serverCertificate
      }
    }
  }
});

Troubleshooting
If you are receiving INVALID_LICENSE_CHALLENGE errors, review the internal_status code field. A 134 or 139 translates to service certificate requests that have gone unfulfilled.

Example of an error:

{
    "status": "INVALID_LICENSE_CHALLENGE",
    "supported_tracks": [],
    "internal_status": 134,
    "client_info": []
}

You will need to ensure that your license proxy is passing the service certificate request through for fulfillment by the Cloud License Service.

Best,
The Widevine team

As I said, this appears to be a bug in the license server, specifically the UAT server. There is nothing to be done on the client side, and this appears to be affecting platforms other than desktop Chrome. Please stand by, and I will confirm here when the server problem has been fixed.

I believe this issue has now been resolved. We were told by Google that the UAT environment issue has been corrected and I can play Widevine content in Canary (59) through the sample app.

My question is whether this requires client side code changes. The Shaka sample code that was provided by the Widevine team shows how to configure the certificate. Is this required only to avoid extraneous requests? I.e. if we do not configure anything, playback won't break, but it will require a certificate request prior to playback of each piece of content? It's unclear to me where we should be getting this certificate from so that we can configure it on the player.

Yes, I can confirm that the issue with UAT has been fixed.

The sample code provided by Widevine shows how to avoid the extra request made by the CDM to provision the server certificate. If you provide the CDM with a certificate in advance, it won't have to request one. This is an optimization that is not required, but Shaka Player supports through configuration.

I don't have a good answer on where you should get this certificate from. I will work to clarify that, and make an announcement on the shaka-player-users list when I have that information. In the mean time, everything should still work.

Since the bug in UAT is fixed, I'm going to close this issue. Thanks, everyone, for your patience.

We are still seeing this with the Widevine UAT environment, but not production

Please refer to Widevine support for license server issues. Shaka Player has no control over that. We apologize for the inconvenience.

We reached out to our Widevine contacts, i just wanted to update the ticket. It works in production, which is good.