Check for bad DN qualifiers on signer certificates (#2716).

2 files changed, 6 insertions, 0 deletions

diff --git a/src/lib/config.cc b/src/lib/config.cc
index 45fc61923..1bb2f3c6a 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -501,6 +501,7 @@ try
 			case BAD_SIGNER_UTF8_STRINGS:
 			case BAD_SIGNER_INCONSISTENT:
 			case BAD_SIGNER_VALIDITY_TOO_LONG:
+			case BAD_SIGNER_DN_QUALIFIER:
 				_signer_chain = create_certificate_chain ();
 				break;
 			case BAD_DECRYPTION_INCONSISTENT:
@@ -1590,6 +1591,9 @@ Config::check_certificates () const
 		if ((i.not_after().year() - i.not_before().year()) > 15) {
 			bad = BAD_SIGNER_VALIDITY_TOO_LONG;
 		}
+		if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) {
+			bad = BAD_SIGNER_DN_QUALIFIER;
+		}
 	}
 
 	if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
diff --git a/src/lib/config.h b/src/lib/config.h
index 0a332bcbb..dce4aafef 100644
--- a/src/lib/config.h
+++ b/src/lib/config.h
@@ -430,6 +430,7 @@ public:
 		NAG_32_ON_64,
 		NAG_TOO_MANY_DROPPED_FRAMES,
 		NAG_BAD_SIGNER_CHAIN_VALIDITY,
+		NAG_BAD_SIGNER_DN_QUALIFIER,
 		NAG_COUNT
 	};
 
@@ -1224,6 +1225,7 @@ public:
 		BAD_SIGNER_INCONSISTENT,      ///< signer chain is somehow inconsistent
 		BAD_DECRYPTION_INCONSISTENT,  ///< KDM decryption chain is somehow inconsistent
 		BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years
+		BAD_SIGNER_DN_QUALIFIER,      ///< some signer certificate has a bad dnQualifier (DoM #2716).
 	};
 
 	static boost::signals2::signal<bool (BadReason)> Bad;