diff options
| author | Carl Hetherington <cth@carlh.net> | 2022-02-12 23:11:44 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2022-02-12 23:15:31 +0100 |
| commit | 3e6b2d886961177c8d89b3f9168393d33c13bff2 (patch) | |
| tree | 34db251b8c936579d91a549a4a40928c413396a4 | |
| parent | 9bda3fda70912d73266a2dbac5470ca23d2ff6fd (diff) | |
Warn if the signing certificates have a validity period > 10 years (#2174).
| -rw-r--r-- | src/lib/config.cc | 4 | ||||
| -rw-r--r-- | src/lib/config.h | 8 | ||||
| -rw-r--r-- | src/tools/dcpomatic.cc | 17 |
3 files changed, 26 insertions, 3 deletions
diff --git a/src/lib/config.cc b/src/lib/config.cc index abf0eb42b..371682966 100644 --- a/src/lib/config.cc +++ b/src/lib/config.cc @@ -456,6 +456,9 @@ try if (i.has_utf8_strings()) { bad = BAD_SIGNER_UTF8_STRINGS; } + if ((i.not_after().year() - i.not_before().year()) > 15) { + bad = BAD_SIGNER_VALIDITY_TOO_LONG; + } } if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) { @@ -472,6 +475,7 @@ try switch (*bad) { case BAD_SIGNER_UTF8_STRINGS: case BAD_SIGNER_INCONSISTENT: + case BAD_SIGNER_VALIDITY_TOO_LONG: _signer_chain = create_certificate_chain (); break; case BAD_DECRYPTION_INCONSISTENT: diff --git a/src/lib/config.h b/src/lib/config.h index 19e05608c..6e197d36d 100644 --- a/src/lib/config.h +++ b/src/lib/config.h @@ -402,6 +402,7 @@ public: NAG_DELETE_DKDM, NAG_32_ON_64, NAG_TOO_MANY_DROPPED_FRAMES, + NAG_BAD_SIGNER_CHAIN_VALIDITY, NAG_COUNT }; @@ -1059,9 +1060,10 @@ public: * true to ask Config to solve the problem (by discarding and recreating the bad thing) */ enum BadReason { - BAD_SIGNER_UTF8_STRINGS, ///< signer chain contains UTF-8 strings (not PRINTABLESTRING) - BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent - BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent + BAD_SIGNER_UTF8_STRINGS, ///< signer chain contains UTF-8 strings (not PRINTABLESTRING) + BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent + BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent + BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years }; static boost::signals2::signal<bool (BadReason)> Bad; diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc index a273d008b..9990f05ad 100644 --- a/src/tools/dcpomatic.cc +++ b/src/tools/dcpomatic.cc @@ -1822,6 +1822,23 @@ private: d->Destroy (); return r == wxID_OK; } + case Config::BAD_SIGNER_VALIDITY_TOO_LONG: + { + if (config->nagged(Config::NAG_BAD_SIGNER_CHAIN_VALIDITY)) { + return false; + } + auto d = new RecreateChainDialog ( + _frame, _("Recreate signing certificates"), + _("The certificate chain that DCP-o-matic uses for signing DCPs and KDMs has a validity period\n" + "that is too long. This will cause problems playing back DCPs on some systems.\n" + "Do you want to re-create the certificate chain for signing DCPs and KDMs?"), + _("Do nothing"), + Config::NAG_BAD_SIGNER_CHAIN_VALIDITY + ); + int const r = d->ShowModal (); + d->Destroy (); + return r == wxID_OK; + } case Config::BAD_SIGNER_INCONSISTENT: { auto d = new RecreateChainDialog ( |