Allow config of the full KDM decryption chain.

author: Carl Hetherington <cth@carlh.net> 2015-07-30 17:00:48 +0100
committer: Carl Hetherington <cth@carlh.net> 2015-07-30 17:00:48 +0100
commit: 682c060342d96e7511d09a5b86df605771f3a907 (patch)
tree: c5424127dd4c6af71623177862f5af7f9318aa32 /src/lib
parent: 54f93021620b7d26120c32b5f45a0d046d3612de (diff)
4 files changed, 32 insertions, 46 deletions
diff --git a/src/lib/config.cc b/src/lib/config.cc
index 7e3de966b..d99cd5fcb 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -35,6 +35,7 @@
 #include <glib.h>
 #include <boost/filesystem.hpp>
 #include <boost/algorithm/string.hpp>
+#include <boost/foreach.hpp>
 #include <cstdlib>
 #include <fstream>
 
@@ -121,8 +122,8 @@ Config::read ()
 	if (!boost::filesystem::exists (file ())) {
 		/* Make a new set of signing certificates and key */
 		_signer_chain.reset (new dcp::CertificateChain (openssl_path ()));
-		/* And decryption keys */
-		make_decryption_keys ();
+		/* And similar for decryption of KDMs */
+		_decryption_chain.reset (new dcp::CertificateChain (openssl_path ()));
 		return;
 	}
 
@@ -236,9 +237,8 @@ Config::read ()
 	if (signer) {
 		shared_ptr<dcp::CertificateChain> c (new dcp::CertificateChain ());
 		/* Read the signing certificates and private key in from the config file */
-		list<cxml::NodePtr> certificates = signer->node_children ("Certificate");
-		for (list<cxml::NodePtr>::const_iterator i = certificates.begin(); i != certificates.end(); ++i) {
-			c->add (dcp::Certificate ((*i)->content ()));
+		BOOST_FOREACH (cxml::NodePtr i, signer->node_children ("Certificate")) {
+			c->add (dcp::Certificate (i->content ()));
 		}
 		c->set_key (signer->string_child ("PrivateKey"));
 		_signer_chain = c;
@@ -247,28 +247,19 @@ Config::read ()
 		_signer_chain.reset (new dcp::CertificateChain (openssl_path ()));
 	}
 
-	if (f.optional_string_child ("DecryptionCertificate")) {
-		_decryption_certificate = dcp::Certificate (f.string_child ("DecryptionCertificate"));
-	}
-
-	if (f.optional_string_child ("DecryptionPrivateKey")) {
-		_decryption_private_key = f.string_child ("DecryptionPrivateKey");
-	}
-
-	if (!f.optional_string_child ("DecryptionCertificate") || !f.optional_string_child ("DecryptionPrivateKey")) {
-		/* Generate our own decryption certificate and key if either is not present in config */
-		make_decryption_keys ();
+	cxml::NodePtr decryption = f.optional_node_child ("Decryption");
+	if (decryption) {
+		shared_ptr<dcp::CertificateChain> c (new dcp::CertificateChain ());
+		BOOST_FOREACH (cxml::NodePtr i, decryption->node_children ("Certificate")) {
+			c->add (dcp::Certificate (i->content ()));
+		}
+		c->set_key (signer->string_child ("PrivateKey"));
+		_decryption_chain = c;
+	} else {
+		_decryption_chain.reset (new dcp::CertificateChain (openssl_path ()));
 	}
 }
 
-void
-Config::make_decryption_keys ()
-{
-	dcp::CertificateChain c (openssl_path ());
-	_decryption_certificate = c.leaf ();
-	_decryption_private_key = c.key().get ();
-}
-
 /** @return Filename to write configuration to */
 boost::filesystem::path
 Config::file () const
@@ -378,14 +369,16 @@ Config::write () const
 #endif
 
 	xmlpp::Element* signer = root->add_child ("Signer");
-	dcp::CertificateChain::List certs = _signer_chain->root_to_leaf ();
-	for (dcp::CertificateChain::List::const_iterator i = certs.begin(); i != certs.end(); ++i) {
-		signer->add_child("Certificate")->add_child_text (i->certificate (true));
+	BOOST_FOREACH (dcp::Certificate const & i, _signer_chain->root_to_leaf ()) {
+		signer->add_child("Certificate")->add_child_text (i.certificate (true));
 	}
 	signer->add_child("PrivateKey")->add_child_text (_signer_chain->key().get ());
 
-	root->add_child("DecryptionCertificate")->add_child_text (_decryption_certificate.certificate (true));
-	root->add_child("DecryptionPrivateKey")->add_child_text (_decryption_private_key);
+	xmlpp::Element* decryption = root->add_child ("Decryption");
+	BOOST_FOREACH (dcp::Certificate const & i, _decryption_chain->root_to_leaf ()) {
+		decryption->add_child("Certificate")->add_child_text (i.certificate (true));
+	}
+	decryption->add_child("PrivateKey")->add_child_text (_decryption_chain->key().get ());
 
 	for (vector<boost::filesystem::path>::const_iterator i = _history.begin(); i != _history.end(); ++i) {
 		root->add_child("History")->add_child_text (i->string ());
diff --git a/src/lib/config.h b/src/lib/config.h
index 573d2b292..eeb167d0d 100644
--- a/src/lib/config.h
+++ b/src/lib/config.h
@@ -203,12 +203,8 @@ public:
 		return _signer_chain;
 	}
 
-	dcp::Certificate decryption_certificate () const {
-		return _decryption_certificate;
-	}
-
-	std::string decryption_private_key () const {
-		return _decryption_private_key;
+	boost::shared_ptr<const dcp::CertificateChain> decryption_chain () const {
+		return _decryption_chain;
 	}
 
 	bool check_for_updates () const {
@@ -380,12 +376,8 @@ public:
 		maybe_set (_signer_chain, s);
 	}
 
-	void set_decryption_certificate (dcp::Certificate c) {
-		maybe_set (_decryption_certificate, c);
-	}
-
-	void set_decryption_private_key (std::string k) {
-		maybe_set (_decryption_private_key, k);
+	void set_decryption_chain (boost::shared_ptr<const dcp::CertificateChain> c) {
+		maybe_set (_decryption_chain, c);
 	}
 
 	void set_check_for_updates (bool c) {
@@ -430,7 +422,6 @@ private:
 	Config ();
 	boost::filesystem::path file () const;
 	void read ();
-	void make_decryption_keys ();
 	void set_defaults ();
 	void set_kdm_email_to_default ();
 
@@ -490,8 +481,10 @@ private:
 	std::string _kdm_bcc;
 	std::string _kdm_email;
 	boost::shared_ptr<const dcp::CertificateChain> _signer_chain;
-	dcp::Certificate _decryption_certificate;
-	std::string _decryption_private_key;
+	/** Chain used to decrypt KDMs; the leaf of this chain is the target
+	 *  certificate for making KDMs given to DCP-o-matic.
+	 */
+	boost::shared_ptr<const dcp::CertificateChain> _decryption_chain;
 	/** true to check for updates on startup */
 	bool _check_for_updates;
 	bool _check_for_test_updates;
diff --git a/src/lib/dcp_decoder.cc b/src/lib/dcp_decoder.cc
index 053ff4f68..9cd327a52 100644
--- a/src/lib/dcp_decoder.cc
+++ b/src/lib/dcp_decoder.cc
@@ -49,7 +49,7 @@ DCPDecoder::DCPDecoder (shared_ptr<const DCPContent> c)
 	dcp::DCP dcp (c->directory ());
 	dcp.read ();
 	if (c->kdm ()) {
-		dcp.add (dcp::DecryptedKDM (c->kdm().get (), Config::instance()->decryption_private_key ()));
+		dcp.add (dcp::DecryptedKDM (c->kdm().get (), Config::instance()->decryption_chain()->key().get ()));
 	}
 	DCPOMATIC_ASSERT (dcp.cpls().size() == 1);
 	_reels = dcp.cpls().front()->reels ();
diff --git a/src/lib/dcp_examiner.cc b/src/lib/dcp_examiner.cc
index 633e8e9d7..5da4a5002 100644
--- a/src/lib/dcp_examiner.cc
+++ b/src/lib/dcp_examiner.cc
@@ -51,7 +51,7 @@ DCPExaminer::DCPExaminer (shared_ptr<const DCPContent> content)
 	dcp.read ();
 
 	if (content->kdm ()) {
-		dcp.add (dcp::DecryptedKDM (content->kdm().get(), Config::instance()->decryption_private_key ()));
+		dcp.add (dcp::DecryptedKDM (content->kdm().get(), Config::instance()->decryption_chain()->key().get ()));
 	}
 
 	if (dcp.cpls().size() == 0) {
author	Carl Hetherington <cth@carlh.net>	2015-07-30 17:00:48 +0100
committer	Carl Hetherington <cth@carlh.net>	2015-07-30 17:00:48 +0100
commit	682c060342d96e7511d09a5b86df605771f3a907 (patch)
tree	c5424127dd4c6af71623177862f5af7f9318aa32 /src/lib
parent	54f93021620b7d26120c32b5f45a0d046d3612de (diff)