@li0ard/widevine 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Nikolai Konovalov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,57 @@
+<p align="center">
+    <a href="https://github.com/li0ard/widevine/">
+        <img src="https://raw.githubusercontent.com/li0ard/widevine/main/.github/logo.svg" alt="widevine logo" title="widevine" width="120" /><br>
+    </a><br>
+    <b>@li0ard/widevine</b><br>
+    <b>Simple Widevine CDM implementation</b>
+    <br>
+    <a href="https://li0ard.is-cool.dev/widevine">docs</a>
+    <br><br>
+    <a href="https://github.com/li0ard/widevine/blob/main/LICENSE"><img src="https://img.shields.io/github/license/li0ard/widevine" /></a>
+    <a href="https://npmjs.com/package/@li0ard/widevine"><img src="https://img.shields.io/npm/v/@li0ard/widevine" />
+    <br>
+    <hr>
+</p>
+
+## Installation
+
+```bash
+# from NPM
+npm i @li0ard/widevine
+
+# from JSR
+bunx jsr add @li0ard/widevine 
+```
+
+## Example
+
+```ts
+import { CDM, PSSH, Device, DeviceType, KeyType } from "@li0ard/widevine";
+
+const device = Device.decode(
+    DeviceType.ANDROID,
+    Buffer.from("....", "base64"),
+    Buffer.from("....", "base64")
+);
+
+const cdm = new CDM(device);
+const sessionId = cdm.open();
+
+const pssh = PSSH.decode(Buffer.from("....", "base64"));
+
+const challenge = cdm.get_license_challenge(sessionId, pssh);
+const license = await (await fetch(`https://cwip-shaka-proxy.appspot.com/no_auth`, {
+    method: "POST",
+    body: challenge
+})).arrayBuffer();
+
+for(const key of cdm.parse_license(sessionId, new Uint8Array(license)))
+    console.log(`- [${KeyType[key.type]}] ${bytesToHex(key.kid)}:${bytesToHex(key.key)}`);
+
+cdm.close(sessionId);
+```
+
+## Links
+
+- [Widevine](https://widevine.com) - Widevine (and Widevine icon) by Google
+- [pywidevine](https://github.com/devine-dl/pywidevine) - An Open Source Python Implementation of Widevine CDM (greatly inspired)

package/dist/const.d.ts

@@ -0,0 +1,10 @@
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+/** Widevine System ID */
+export declare const WIDEVINE_SID: Readonly<Uint8Array>;
+/** Device type */
+export declare enum DeviceType {
+    CHROME = 1,
+    ANDROID = 2
+}
+/** Key type */
+export declare const KeyType: typeof pywidevine_license_protocol.License.KeyContainer.KeyType;

package/dist/const.js

@@ -0,0 +1,11 @@
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+/** Widevine System ID */
+export const WIDEVINE_SID = new Uint8Array([0xed, 0xef, 0x8b, 0xa9, 0x79, 0xd6, 0x4a, 0xce, 0xa3, 0xc8, 0x27, 0xdc, 0xd5, 0x1d, 0x21, 0xed]);
+/** Device type */
+export var DeviceType;
+(function (DeviceType) {
+    DeviceType[DeviceType["CHROME"] = 1] = "CHROME";
+    DeviceType[DeviceType["ANDROID"] = 2] = "ANDROID";
+})(DeviceType || (DeviceType = {}));
+/** Key type */
+export const KeyType = pywidevine_license_protocol.License.KeyContainer.KeyType;

package/dist/device.d.ts

@@ -0,0 +1,25 @@
+import type { PublicKey, PrivateKey } from 'micro-rsa-dsa-dh/rsa.js';
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+import type { DeviceType } from './const.js';
+/** Device instance for CDM */
+export declare class Device {
+    type: DeviceType;
+    privateKey: PrivateKey;
+    client_id: pywidevine_license_protocol.ClientIdentification;
+    /**
+     * Device instance for CDM
+     * @param type Device type
+     * @param privateKey Device private key
+     * @param client_id Device client identification
+     */
+    constructor(type: DeviceType, privateKey: PrivateKey, client_id: pywidevine_license_protocol.ClientIdentification);
+    /** Device public key */
+    get publicKey(): PublicKey;
+    /**
+     * Get device instance from dump
+     * @param type Device type
+     * @param client_id Device client identification blob (`client_id.bin`)
+     * @param privateKey Device private key blob (ASN.1 encoded)
+     */
+    static decode(type: DeviceType, client_id: Uint8Array, privateKey: Uint8Array): Device;
+}

package/dist/device.js

@@ -0,0 +1,38 @@
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+import { decodePrivateKey, decodePublicKey, parseCerificate } from './utils.js';
+/** Device instance for CDM */
+export class Device {
+    type;
+    privateKey;
+    client_id;
+    /**
+     * Device instance for CDM
+     * @param type Device type
+     * @param privateKey Device private key
+     * @param client_id Device client identification
+     */
+    constructor(type, privateKey, client_id) {
+        this.type = type;
+        this.privateKey = privateKey;
+        this.client_id = client_id;
+    }
+    /** Device public key */
+    get publicKey() {
+        const certificate = parseCerificate(this.client_id.token);
+        if (!certificate.public_key)
+            throw new Error("Missing public key in DRM certificate");
+        return decodePublicKey(certificate.public_key);
+    }
+    /**
+     * Get device instance from dump
+     * @param type Device type
+     * @param client_id Device client identification blob (`client_id.bin`)
+     * @param privateKey Device private key blob (ASN.1 encoded)
+     */
+    static decode(type, client_id, privateKey) {
+        const clientId = pywidevine_license_protocol.ClientIdentification.deserialize(client_id);
+        if (!clientId.token)
+            throw new Error("Missing token in Client ID");
+        return new Device(type, decodePrivateKey(privateKey), clientId);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,42 @@
+import type { Device } from "./device.js";
+import type { PSSH } from "./pssh.js";
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+import { Key } from "./key.js";
+/** Widevine Content Decryption Module (CDM) instance */
+export declare class CDM {
+    device: Device;
+    private sessions;
+    private signer;
+    private crypter;
+    /**
+     * Widevine Content Decryption Module (CDM) instance
+     * @param device Device instance
+     */
+    constructor(device: Device);
+    /** Open session */
+    open(): string;
+    /**
+     * Close session
+     * @param sessionId Session ID
+     */
+    close(sessionId: string): void;
+    /**
+     * Get license request (challenge)
+     * @param sessionId Session ID
+     * @param pssh PSSH object
+     * @param license_type License type (default - `STREAMING`)
+     */
+    get_license_challenge(sessionId: string, pssh: PSSH, license_type?: pywidevine_license_protocol.LicenseType): Uint8Array;
+    /**
+     * Get keys from license response
+     * @param sessionId Session ID
+     * @param license_response License response
+     */
+    parse_license(sessionId: string, license_response: Uint8Array): Key[];
+    private derive_keys;
+    private derive_context;
+}
+export { WIDEVINE_SID, KeyType, DeviceType } from "./const.js";
+export { Device } from "./device.js";
+export { Key } from "./key.js";
+export { PSSH } from "./pssh.js";

package/dist/index.js

@@ -0,0 +1,126 @@
+import { bytesToHex, concatBytes, equalBytes, numberToBytesBE, randomBytes } from "@noble/ciphers/utils.js";
+import { DeviceType } from "./const.js";
+import { Session } from "./session.js";
+import { PSS, OAEP, mgf1 } from 'micro-rsa-dsa-dh/rsa.js';
+import { sha1 } from "@noble/hashes/legacy.js";
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { cmac } from "@noble/ciphers/aes.js";
+import { Key } from "./key.js";
+const { LicenseType, LicenseRequest, ProtocolVersion, SignedMessage, License } = pywidevine_license_protocol;
+const ENCRYPTION_LABEL = new Uint8Array([0x45, 0x4e, 0x43, 0x52, 0x59, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x00]); // ENCRYPTION + \x00
+const ENCRYPTION_SIZE = new Uint8Array([0, 0, 0, 0x80]); // 128
+const AUTHENTICATION_LABEL = new Uint8Array([0x41, 0x55, 0x54, 0x48, 0x45, 0x4e, 0x54, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x00]); // AUTHENTICATION + \x00
+const AUTHENTICATION_SIZE = new Uint8Array([0, 0, 2, 0]); // 512
+/** Widevine Content Decryption Module (CDM) instance */
+export class CDM {
+    device;
+    sessions = new Map();
+    signer;
+    crypter;
+    /**
+     * Widevine Content Decryption Module (CDM) instance
+     * @param device Device instance
+     */
+    constructor(device) {
+        this.device = device;
+        this.signer = PSS(sha1, mgf1(sha1), 20);
+        this.crypter = OAEP(sha1, mgf1(sha1));
+    }
+    /** Open session */
+    open() {
+        const session = new Session(this.sessions.size + 1);
+        const id = bytesToHex(session.id);
+        this.sessions.set(id, session);
+        return id;
+    }
+    /**
+     * Close session
+     * @param sessionId Session ID
+     */
+    close(sessionId) {
+        if (!this.sessions.get(sessionId))
+            throw new Error("Session identifier is invalid");
+        this.sessions.delete(sessionId);
+    }
+    /**
+     * Get license request (challenge)
+     * @param sessionId Session ID
+     * @param pssh PSSH object
+     * @param license_type License type (default - `STREAMING`)
+     */
+    get_license_challenge(sessionId, pssh, license_type = LicenseType.STREAMING) {
+        const session = this.sessions.get(sessionId);
+        if (!session)
+            throw new Error("Session identifier is invalid");
+        let request_id;
+        if (this.device.type == DeviceType.ANDROID)
+            request_id = new TextEncoder().encode(bytesToHex(concatBytes(randomBytes(4), new Uint8Array(4), numberToBytesBE(session.number, 8).reverse())).toUpperCase());
+        else
+            request_id = randomBytes(16);
+        const wvdPsshData = new LicenseRequest.ContentIdentification.WidevinePsshData();
+        wvdPsshData.pssh_data = [pssh.init_data];
+        wvdPsshData.license_type = license_type;
+        wvdPsshData.request_id = request_id;
+        const contentId = new LicenseRequest.ContentIdentification();
+        contentId.widevine_pssh_data = wvdPsshData;
+        const licenseRequest = new LicenseRequest();
+        licenseRequest.client_id = this.device.client_id;
+        licenseRequest.content_id = contentId;
+        licenseRequest.type = LicenseRequest.RequestType.NEW;
+        licenseRequest.request_time = Math.round(Date.now() / 1000);
+        licenseRequest.protocol_version = ProtocolVersion.VERSION_2_1;
+        licenseRequest.key_control_nonce = Math.floor(Math.random() * 2000000) + 1;
+        const licenseRequestSerialized = licenseRequest.serializeBinary();
+        const signedLicenseRequest = new SignedMessage();
+        signedLicenseRequest.type = SignedMessage.MessageType.LICENSE_REQUEST;
+        signedLicenseRequest.msg = licenseRequestSerialized;
+        signedLicenseRequest.signature = this.signer.sign(this.device.privateKey, licenseRequestSerialized);
+        session.context.set(bytesToHex(request_id), this.derive_context(licenseRequestSerialized));
+        return signedLicenseRequest.serializeBinary();
+    }
+    /**
+     * Get keys from license response
+     * @param sessionId Session ID
+     * @param license_response License response
+     */
+    parse_license(sessionId, license_response) {
+        const session = this.sessions.get(sessionId);
+        if (!session)
+            throw new Error("Session identifier is invalid");
+        const license_message = SignedMessage.deserializeBinary(license_response);
+        if (license_message.type != SignedMessage.MessageType.LICENSE)
+            throw new Error("Invalid message type");
+        const license = License.deserializeBinary(license_message.msg);
+        const context = session.context.get(bytesToHex(license.id.request_id));
+        if (!context)
+            throw new Error("Cannot parse a license message without first making a license request");
+        const [enc_key, mac_key_server, _] = this.derive_keys(context[0], context[1], this.crypter.decrypt(this.device.privateKey, license_message.session_key));
+        const computed_signature = hmac(sha256, mac_key_server, license_message.oemcrypto_core_message.length != 0
+            ? concatBytes(license_message.oemcrypto_core_message, license_message.msg)
+            : license_message.msg);
+        if (!equalBytes(computed_signature, license_message.signature))
+            throw new Error("Signature mismatch on license message");
+        session.keys = license.key.map(i => Key.fromContainer(i, enc_key));
+        session.context.delete(bytesToHex(license.id.request_id));
+        return session.keys;
+    }
+    derive_keys(enc_context, mac_context, key) {
+        const _derive = (session_key, context, counter) => cmac(session_key, concatBytes(numberToBytesBE(counter, 1), context));
+        const enc_key = _derive(key, enc_context, 1);
+        const mac_key_server = concatBytes(_derive(key, mac_context, 1), _derive(key, mac_context, 2));
+        const mac_key_client = concatBytes(_derive(key, mac_context, 3), _derive(key, mac_context, 4));
+        return [enc_key, mac_key_server, mac_key_client];
+    }
+    derive_context(message) {
+        return [
+            concatBytes(ENCRYPTION_LABEL, message, ENCRYPTION_SIZE),
+            concatBytes(AUTHENTICATION_LABEL, message, AUTHENTICATION_SIZE)
+        ];
+    }
+}
+export { WIDEVINE_SID, KeyType, DeviceType } from "./const.js";
+export { Device } from "./device.js";
+export { Key } from "./key.js";
+export { PSSH } from "./pssh.js";

package/dist/key.d.ts

@@ -0,0 +1,20 @@
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+/** Key instance */
+export declare class Key {
+    type: pywidevine_license_protocol.License.KeyContainer.KeyType;
+    kid: Uint8Array;
+    key: Uint8Array;
+    /**
+     * Key instance
+     * @param type Type
+     * @param kid ID
+     * @param key Key
+     */
+    constructor(type: pywidevine_license_protocol.License.KeyContainer.KeyType, kid: Uint8Array, key: Uint8Array);
+    /**
+     * Get key from license key container
+     * @param key Key container
+     * @param encKey Decryption key
+     */
+    static fromContainer(key: pywidevine_license_protocol.License.KeyContainer, encKey: Uint8Array): Key;
+}

package/dist/key.js

@@ -0,0 +1,27 @@
+import { cbc } from "@noble/ciphers/aes.js";
+import { pywidevine_license_protocol } from "./protos/license_protocol.js";
+/** Key instance */
+export class Key {
+    type;
+    kid;
+    key;
+    /**
+     * Key instance
+     * @param type Type
+     * @param kid ID
+     * @param key Key
+     */
+    constructor(type, kid, key) {
+        this.type = type;
+        this.kid = kid;
+        this.key = key;
+    }
+    /**
+     * Get key from license key container
+     * @param key Key container
+     * @param encKey Decryption key
+     */
+    static fromContainer(key, encKey) {
+        return new Key(key.type, key.id, cbc(encKey, key.iv).decrypt(key.key));
+    }
+}