diff options
| author | Carl Hetherington <cth@carlh.net> | 2024-01-08 19:01:21 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2024-01-09 11:54:17 +0100 |
| commit | 69a84c50d0e1196c3a83883173e4a301ff550364 (patch) | |
| tree | 2d9342d791e46d04223f5ed589114f637ab077cf | |
| parent | 12d1abf033654727d6ab6278087ff7cfc65d63f6 (diff) | |
Check for bad DN qualifiers on signer certificates (#2716).
| -rw-r--r-- | src/lib/config.cc | 4 | ||||
| -rw-r--r-- | src/lib/config.h | 2 | ||||
| -rw-r--r-- | src/tools/dcpomatic.cc | 13 | ||||
| m--------- | test/data | 0 |
4 files changed, 19 insertions, 0 deletions
diff --git a/src/lib/config.cc b/src/lib/config.cc index 45fc61923..1bb2f3c6a 100644 --- a/src/lib/config.cc +++ b/src/lib/config.cc @@ -501,6 +501,7 @@ try case BAD_SIGNER_UTF8_STRINGS: case BAD_SIGNER_INCONSISTENT: case BAD_SIGNER_VALIDITY_TOO_LONG: + case BAD_SIGNER_DN_QUALIFIER: _signer_chain = create_certificate_chain (); break; case BAD_DECRYPTION_INCONSISTENT: @@ -1590,6 +1591,9 @@ Config::check_certificates () const if ((i.not_after().year() - i.not_before().year()) > 15) { bad = BAD_SIGNER_VALIDITY_TOO_LONG; } + if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) { + bad = BAD_SIGNER_DN_QUALIFIER; + } } if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) { diff --git a/src/lib/config.h b/src/lib/config.h index 0a332bcbb..dce4aafef 100644 --- a/src/lib/config.h +++ b/src/lib/config.h @@ -430,6 +430,7 @@ public: NAG_32_ON_64, NAG_TOO_MANY_DROPPED_FRAMES, NAG_BAD_SIGNER_CHAIN_VALIDITY, + NAG_BAD_SIGNER_DN_QUALIFIER, NAG_COUNT }; @@ -1224,6 +1225,7 @@ public: BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years + BAD_SIGNER_DN_QUALIFIER, ///< some signer certificate has a bad dnQualifier (DoM #2716). }; static boost::signals2::signal<bool (BadReason)> Bad; diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc index 5bd8b8def..8faaf5bcd 100644 --- a/src/tools/dcpomatic.cc +++ b/src/tools/dcpomatic.cc @@ -1919,6 +1919,19 @@ private: } return true; } + case Config::BAD_SIGNER_DN_QUALIFIER: + { + RecreateChainDialog dialog( + _frame, _("Recreate signing certificates"), + _("The certificate chain that DCP-o-matic uses for signing DCPs and KDMs contains a small error\n" + "which will prevent DCPs from being validated correctly on some systems. This error was caused\n" + "by a bug in DCP-o-matic which has now been fixed. Do you want to re-create the certificate chain\n" + "for signing DCPs and KDMs?"), + _("Do nothing"), + Config::NAG_BAD_SIGNER_DN_QUALIFIER + ); + return dialog.ShowModal() == wxID_OK; + } default: DCPOMATIC_ASSERT (false); } diff --git a/test/data b/test/data -Subproject ae6d44f2c605b2035fa0346798c3b536ed1a016 +Subproject a4ad4c1a4880d02aabf2790e11c4e5c2c28034d |