Keep signing certificates / keys in config.xml rather than on disk; allow configuration.

12 files changed, 396 insertions, 81 deletions

diff --git a/src/lib/config.cc b/src/lib/config.cc
index f2f25efe9..0d6a55054 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -25,6 +25,8 @@
 #include <boost/algorithm/string.hpp>
 #include <dcp/colour_matrix.h>
 #include <dcp/raw_convert.h>
+#include <dcp/signer.h>
+#include <dcp/certificate_chain.h>
 #include <libcxml/cxml.h>
 #include "config.h"
 #include "server.h"
@@ -36,6 +38,7 @@
 #include "colour_conversion.h"
 #include "cinema.h"
 #include "util.h"
+#include "cross.h"
 
 #include "i18n.h"
 
@@ -207,6 +210,37 @@ Config::read ()
 	_allow_any_dcp_frame_rate = f.optional_bool_child ("AllowAnyDCPFrameRate");
 
 	_log_types = f.optional_number_child<int> ("LogTypes").get_value_or (Log::TYPE_GENERAL | Log::TYPE_WARNING | Log::TYPE_ERROR);
+
+	cxml::NodePtr signer = f.optional_node_child ("Signer");
+	dcp::CertificateChain signer_chain;
+	if (signer) {
+		/* Read the signing certificates and private key in from the config file */
+		list<cxml::NodePtr> certificates = signer->node_children ("Certificate");
+		for (list<cxml::NodePtr>::const_iterator i = certificates.begin(); i != certificates.end(); ++i) {
+			signer_chain.add (shared_ptr<dcp::Certificate> (new dcp::Certificate ((*i)->content ())));
+		}
+
+		_signer.reset (new dcp::Signer (signer_chain, signer->string_child ("PrivateKey")));
+	} else {
+		/* Make a new set of signing certificates and key */
+		_signer.reset (new dcp::Signer (openssl_path ()));
+	}
+
+	if (f.optional_string_child ("DecryptionCertificate")) {
+		_decryption_certificate = dcp::Certificate (f.string_child ("DecryptionCertificate"));
+	}
+
+	if (f.optional_string_child ("DecryptionPrivateKey")) {
+		_decryption_private_key = f.string_child ("DecryptionPrivateKey");
+	}
+
+	if (!f.optional_string_child ("DecryptionCertificate") || !f.optional_string_child ("DecryptionPrivateKey")) {
+		/* Generate our own decryption certificate and key if either is not present in config */
+		boost::filesystem::path p = dcp::make_certificate_chain (openssl_path ());
+		_decryption_certificate = dcp::Certificate (dcp::file_to_string (p / "leaf.signed.pem"));
+		_decryption_private_key = dcp::file_to_string (p / "leaf.key");
+		boost::filesystem::remove_all (p);
+	}
 }
 
 /** @return Filename to write configuration to */
@@ -227,17 +261,6 @@ Config::file (bool old) const
 	return p;
 }
 
-boost::filesystem::path
-Config::signer_chain_directory () const
-{
-	boost::filesystem::path p;
-	p /= g_get_user_config_dir ();
-	p /= "dcpomatic";
-	p /= "crypt";
-	boost::filesystem::create_directories (p);
-	return p;
-}
-
 /** @return Singleton instance */
 Config *
 Config::instance ()
@@ -326,7 +349,17 @@ Config::write () const
 	root->add_child("MaximumJ2KBandwidth")->add_child_text (raw_convert<string> (_maximum_j2k_bandwidth));
 	root->add_child("AllowAnyDCPFrameRate")->add_child_text (_allow_any_dcp_frame_rate ? "1" : "0");
 	root->add_child("LogTypes")->add_child_text (raw_convert<string> (_log_types));
-	
+
+	xmlpp::Element* signer = root->add_child ("Signer");
+	dcp::CertificateChain::List certs = _signer->certificates().root_to_leaf ();
+	for (dcp::CertificateChain::List::const_iterator i = certs.begin(); i != certs.end(); ++i) {
+		signer->add_child("Certificate")->add_child_text ((*i)->certificate (true));
+	}
+	signer->add_child("PrivateKey")->add_child_text (_signer->key ());
+
+	root->add_child("DecryptionCertificate")->add_child_text (_decryption_certificate.certificate (true));
+	root->add_child("DecryptionPrivateKey")->add_child_text (_decryption_private_key);
+
 	doc.write_to_file_formatted (file(false).string ());
 }
 
diff --git a/src/lib/config.h b/src/lib/config.h
index 03dd9c0fe..d8ac75bed 100644
--- a/src/lib/config.h
+++ b/src/lib/config.h
@@ -29,6 +29,8 @@
 #include <boost/signals2.hpp>
 #include <boost/filesystem.hpp>
 #include <dcp/metadata.h>
+#include <dcp/certificates.h>
+#include <dcp/signer.h>
 #include "isdcf_metadata.h"
 #include "colour_conversion.h"
 
@@ -188,6 +190,18 @@ public:
 		return _kdm_email;
 	}
 
+	boost::shared_ptr<const dcp::Signer> signer () const {
+		return _signer;
+	}
+
+	dcp::Certificate decryption_certificate () const {
+		return _decryption_certificate;
+	}
+
+	std::string decryption_private_key () const {
+		return _decryption_private_key;
+	}
+
 	bool check_for_updates () const {
 		return _check_for_updates;
 	}
@@ -357,6 +371,21 @@ public:
 
 	void reset_kdm_email ();
 
+	void set_signer (boost::shared_ptr<const dcp::Signer> s) {
+		_signer = s;
+		changed ();
+	}
+
+	void set_decryption_certificate (dcp::Certificate c) {
+		_decryption_certificate = c;
+		changed ();
+	}
+
+	void set_decryption_private_key (std::string k) {
+		_decryption_private_key = k;
+		changed ();
+	}
+
 	void set_check_for_updates (bool c) {
 		_check_for_updates = c;
 		changed ();
@@ -377,8 +406,6 @@ public:
 		changed ();
 	}
 	
-	boost::filesystem::path signer_chain_directory () const;
-
 	void changed ();
 	boost::signals2::signal<void ()> Changed;
 
@@ -435,6 +462,9 @@ private:
 	std::string _kdm_from;
 	std::string _kdm_cc;
 	std::string _kdm_email;
+	boost::shared_ptr<const dcp::Signer> _signer;
+	dcp::Certificate _decryption_certificate;
+	std::string _decryption_private_key;
 	/** true to check for updates on startup */
 	bool _check_for_updates;
 	bool _check_for_test_updates;
diff --git a/src/lib/exceptions.cc b/src/lib/exceptions.cc
index f34cebbfe..95d4c8cce 100644
--- a/src/lib/exceptions.cc
+++ b/src/lib/exceptions.cc
@@ -67,3 +67,9 @@ SubRipError::SubRipError (string saw, string expecting, boost::filesystem::path
 {
 	
 }
+
+InvalidSignerError::InvalidSignerError ()
+	: StringError (_("The certificate chain for signing is invalid"))
+{
+
+}
diff --git a/src/lib/exceptions.h b/src/lib/exceptions.h
index a8969d702..52f257a8d 100644
--- a/src/lib/exceptions.h
+++ b/src/lib/exceptions.h
@@ -253,6 +253,12 @@ public:
 	{}
 };
 
+class InvalidSignerError : public StringError
+{
+public:
+	InvalidSignerError ();
+};
+
 /** @class ExceptionStore
  *  @brief A parent class for classes which have a need to catch and
  *  re-throw exceptions.
@@ -295,6 +301,4 @@ private:
 	mutable boost::mutex _mutex;
 };
 
-	
-
 #endif
diff --git a/src/lib/film.cc b/src/lib/film.cc
index 85dc5b168..eaf738b8b 100644
--- a/src/lib/film.cc
+++ b/src/lib/film.cc
@@ -1078,9 +1078,14 @@ Film::make_kdm (
 	) const
 {
 	shared_ptr<const dcp::CPL> cpl (new dcp::CPL (cpl_file));
+	shared_ptr<const dcp::Signer> signer = Config::instance()->signer();
+	if (!signer->valid ()) {
+		throw InvalidSignerError ();
+	}
+	
 	return dcp::DecryptedKDM (
 		cpl, from, until, "DCP-o-matic", cpl->content_title_text(), dcp::LocalTime().as_string()
-		).encrypt (make_signer(), target, formulation);
+		).encrypt (signer, target, formulation);
 }
 
 list<dcp::EncryptedKDM>
diff --git a/src/lib/util.cc b/src/lib/util.cc
index 837f3cdf3..c7ef40a1c 100644
--- a/src/lib/util.cc
+++ b/src/lib/util.cc
@@ -791,59 +791,6 @@ tidy_for_filename (string f)
 	return t;
 }
 
-shared_ptr<const dcp::Signer>
-make_signer ()
-{
-	boost::filesystem::path const sd = Config::instance()->signer_chain_directory ();
-
-	/* Remake the chain if any of it is missing */
-	
-	list<boost::filesystem::path> files;
-	files.push_back ("ca.self-signed.pem");
-	files.push_back ("intermediate.signed.pem");
-	files.push_back ("leaf.signed.pem");
-	files.push_back ("leaf.key");
-
-	list<boost::filesystem::path>::const_iterator i = files.begin();
-	while (i != files.end()) {
-		boost::filesystem::path p (sd);
-		p /= *i;
-		if (!boost::filesystem::exists (p)) {
-			boost::filesystem::remove_all (sd);
-			boost::filesystem::create_directories (sd);
-			dcp::make_signer_chain (sd, openssl_path ());
-			break;
-		}
-
-		++i;
-	}
-	
-	dcp::CertificateChain chain;
-
-	{
-		boost::filesystem::path p (sd);
-		p /= "ca.self-signed.pem";
-		chain.add (shared_ptr<dcp::Certificate> (new dcp::Certificate (p)));
-	}
-
-	{
-		boost::filesystem::path p (sd);
-		p /= "intermediate.signed.pem";
-		chain.add (shared_ptr<dcp::Certificate> (new dcp::Certificate (p)));
-	}
-
-	{
-		boost::filesystem::path p (sd);
-		p /= "leaf.signed.pem";
-		chain.add (shared_ptr<dcp::Certificate> (new dcp::Certificate (p)));
-	}
-
-	boost::filesystem::path signer_key (sd);
-	signer_key /= "leaf.key";
-
-	return shared_ptr<const dcp::Signer> (new dcp::Signer (chain, signer_key));
-}
-
 map<string, string>
 split_get_request (string url)
 {
diff --git a/src/lib/util.h b/src/lib/util.h
index 094d57f40..b7dc978e3 100644
--- a/src/lib/util.h
+++ b/src/lib/util.h
@@ -32,7 +32,6 @@
 #include <boost/optional.hpp>
 #include <boost/filesystem.hpp>
 #include <dcp/util.h>
-#include <dcp/signer.h>
 extern "C" {
 #include <libavcodec/avcodec.h>
 #include <libavfilter/avfilter.h>
@@ -48,10 +47,6 @@ extern "C" {
 
 #define DCPOMATIC_HELLO "Boys, you gotta learn not to talk to nuns that way"
 
-namespace dcp {
-	class Signer;
-}
-
 class Job;
 struct AVSubtitle;
 
@@ -71,7 +66,6 @@ extern bool valid_image_file (boost::filesystem::path);
 extern boost::filesystem::path mo_path ();
 #endif
 extern std::string tidy_for_filename (std::string);
-extern boost::shared_ptr<const dcp::Signer> make_signer ();
 extern dcp::Size fit_ratio_within (float ratio, dcp::Size);
 extern std::string entities_to_text (std::string e);
 extern std::map<std::string, std::string> split_get_request (std::string url);
diff --git a/src/lib/writer.cc b/src/lib/writer.cc
index b165545c7..c34a6a66d 100644
--- a/src/lib/writer.cc
+++ b/src/lib/writer.cc
@@ -30,6 +30,7 @@
 #include <dcp/reel_subtitle_asset.h>
 #include <dcp/dcp.h>
 #include <dcp/cpl.h>
+#include <dcp/signer.h>
 #include "writer.h"
 #include "compose.hpp"
 #include "film.h"
@@ -124,6 +125,11 @@ Writer::Writer (shared_ptr<const Film> f, weak_ptr<Job> j)
 		_sound_mxf_writer = _sound_mxf->start_write (_film->directory() / _film->audio_mxf_filename(), _film->interop() ? dcp::INTEROP : dcp::SMPTE);
 	}
 
+	/* Check that the signer is OK if we need one */
+	if (_film->is_signed() && !Config::instance()->signer()->valid ()) {
+		throw InvalidSignerError ();
+	}
+
 	_thread = new boost::thread (boost::bind (&Writer::thread, this));
 
 	job->sub (_("Encoding image data"));
@@ -484,7 +490,16 @@ Writer::finish ()
 	dcp::XMLMetadata meta = Config::instance()->dcp_metadata ();
 	meta.set_issue_date_now ();
 
-	dcp.write_xml (_film->interop () ? dcp::INTEROP : dcp::SMPTE, meta, _film->is_signed() ? make_signer () : shared_ptr<const dcp::Signer> ());
+	shared_ptr<const dcp::Signer> signer;
+	if (_film->is_signed ()) {
+		signer = Config::instance()->signer ();
+		/* We did check earlier, but check again here to be on the safe side */
+		if (!signer->valid ()) {
+			throw InvalidSignerError ();
+		}
+	}
+
+	dcp.write_xml (_film->interop () ? dcp::INTEROP : dcp::SMPTE, meta, signer);
 
 	LOG_GENERAL (
 		N_("Wrote %1 FULL, %2 FAKE, %3 pushed to disk"), _full_written, _fake_written, _pushed_to_disk
diff --git a/src/tools/dcpomatic_kdm.cc b/src/tools/dcpomatic_kdm.cc
index 2ad07cce7..4068dc51a 100644
--- a/src/tools/dcpomatic_kdm.cc
+++ b/src/tools/dcpomatic_kdm.cc
@@ -248,7 +248,7 @@ int main (int argc, char* argv[])
 			error ("you must specify --output");
 		}
 		
-		shared_ptr<dcp::Certificate> certificate (new dcp::Certificate (boost::filesystem::path (certificate_file)));
+		shared_ptr<dcp::Certificate> certificate (new dcp::Certificate (dcp::file_to_string (certificate_file)));
 		dcp::EncryptedKDM kdm = film->make_kdm (certificate, cpl, valid_from.get(), valid_to.get(), formulation);
 		kdm.as_xml (output);
 		if (verbose) {
diff --git a/src/wx/config_dialog.cc b/src/wx/config_dialog.cc
index 306e1f208..ee660832f 100644
--- a/src/wx/config_dialog.cc
+++ b/src/wx/config_dialog.cc
@@ -29,6 +29,8 @@
 #include <wx/filepicker.h>
 #include <wx/spinctrl.h>
 #include <dcp/colour_matrix.h>
+#include <dcp/exceptions.h>
+#include <dcp/signer.h>
 #include "lib/config.h"
 #include "lib/ratio.h"
 #include "lib/scaler.h"
@@ -36,6 +38,7 @@
 #include "lib/dcp_content_type.h"
 #include "lib/colour_conversion.h"
 #include "lib/log.h"
+#include "lib/util.h"
 #include "config_dialog.h"
 #include "wx_util.h"
 #include "editable_list.h"
@@ -107,7 +110,6 @@ public:
 		_num_local_encoding_threads = new wxSpinCtrl (panel);
 		table->Add (_num_local_encoding_threads, 1);
 
-		
 		_check_for_updates = new wxCheckBox (panel, wxID_ANY, _("Check for updates on startup"));
 		table->Add (_check_for_updates, 1, wxEXPAND | wxALL);
 		table->AddSpacer (0);
@@ -547,6 +549,284 @@ private:
 	}
 };
 
+class KeysPage : public wxPreferencesPage, public Page
+{
+public:
+	KeysPage (wxSize panel_size, int border)
+		: Page (panel_size, border)
+	{}
+
+	wxString GetName () const
+	{
+		return _("Keys");
+	}
+
+#ifdef DCPOMATIC_OSX
+	wxBitmap GetLargeIcon () const
+	{
+		return wxBitmap ("keys", wxBITMAP_TYPE_PNG_RESOURCE);
+	}
+#endif	
+
+	wxWindow* CreateWindow (wxWindow* parent)
+	{
+		_panel = new wxPanel (parent, wxID_ANY, wxDefaultPosition, _panel_size);
+		wxBoxSizer* overall_sizer = new wxBoxSizer (wxVERTICAL);
+		_panel->SetSizer (overall_sizer);
+
+		wxStaticText* m = new wxStaticText (_panel, wxID_ANY, _("Certificate chain for signing DCPs and KDMs:"));
+		overall_sizer->Add (m, 0, wxALL, _border);
+		
+		wxBoxSizer* certificates_sizer = new wxBoxSizer (wxHORIZONTAL);
+		overall_sizer->Add (certificates_sizer, 0, wxLEFT | wxRIGHT, _border);
+		
+		_certificates = new wxListCtrl (_panel, wxID_ANY, wxDefaultPosition, wxSize (400, 200), wxLC_REPORT | wxLC_SINGLE_SEL);
+
+		{
+			wxListItem ip;
+			ip.SetId (0);
+			ip.SetText (_("Type"));
+			ip.SetWidth (100);
+			_certificates->InsertColumn (0, ip);
+		}
+
+		{
+			wxListItem ip;
+			ip.SetId (1);
+			ip.SetText (_("Thumbprint"));
+			ip.SetWidth (300);
+
+			wxFont font = ip.GetFont ();
+			font.SetFamily (wxFONTFAMILY_TELETYPE);
+			ip.SetFont (font);
+			
+			_certificates->InsertColumn (1, ip);
+		}
+
+		certificates_sizer->Add (_certificates, 1, wxEXPAND);
+
+		{
+			wxSizer* s = new wxBoxSizer (wxVERTICAL);
+			_add_certificate = new wxButton (_panel, wxID_ANY, _("Add..."));
+			s->Add (_add_certificate, 0, wxTOP | wxBOTTOM, DCPOMATIC_BUTTON_STACK_GAP);
+			_remove_certificate = new wxButton (_panel, wxID_ANY, _("Remove"));
+			s->Add (_remove_certificate, 0, wxTOP | wxBOTTOM, DCPOMATIC_BUTTON_STACK_GAP);
+			certificates_sizer->Add (s, 0, wxLEFT, DCPOMATIC_SIZER_X_GAP);
+		}
+
+		wxFlexGridSizer* table = new wxFlexGridSizer (2, DCPOMATIC_SIZER_X_GAP, DCPOMATIC_SIZER_Y_GAP);
+		table->AddGrowableCol (1, 1);
+		overall_sizer->Add (table, 1, wxALL | wxEXPAND, _border);
+
+		add_label_to_sizer (table, _panel, _("Private key for leaf certificate"), true);
+		{
+			wxSizer* s = new wxBoxSizer (wxHORIZONTAL);
+			_signer_private_key = new wxStaticText (_panel, wxID_ANY, wxT (""));
+			wxFont font = _signer_private_key->GetFont ();
+			font.SetFamily (wxFONTFAMILY_TELETYPE);
+			_signer_private_key->SetFont (font);
+			s->Add (_signer_private_key, 1, wxLEFT | wxRIGHT | wxALIGN_CENTER_VERTICAL, DCPOMATIC_SIZER_X_GAP);
+			_load_signer_private_key = new wxButton (_panel, wxID_ANY, _("Load..."));
+			s->Add (_load_signer_private_key, 0, wxLEFT, DCPOMATIC_SIZER_X_GAP);
+			table->Add (s, 0);
+		}
+
+		add_label_to_sizer (table, _panel, _("Certificate for decrypting DCPs"), true);
+		{
+			wxSizer* s = new wxBoxSizer (wxHORIZONTAL);
+			_decryption_certificate = new wxStaticText (_panel, wxID_ANY, wxT (""));
+			wxFont font = _decryption_certificate->GetFont ();
+			font.SetFamily (wxFONTFAMILY_TELETYPE);
+			_decryption_certificate->SetFont (font);
+			s->Add (_decryption_certificate, 1, wxLEFT | wxRIGHT | wxALIGN_CENTER_VERTICAL, DCPOMATIC_SIZER_X_GAP);
+			_load_decryption_certificate = new wxButton (_panel, wxID_ANY, _("Load..."));
+			s->Add (_load_decryption_certificate, 0, wxLEFT, DCPOMATIC_SIZER_X_GAP);
+			table->Add (s, 0);
+		}
+
+		add_label_to_sizer (table, _panel, _("Private key for decrypting DCPs"), true);
+		{
+			wxSizer* s = new wxBoxSizer (wxHORIZONTAL);
+			_decryption_private_key = new wxStaticText (_panel, wxID_ANY, wxT (""));
+			wxFont font = _decryption_private_key->GetFont ();
+			font.SetFamily (wxFONTFAMILY_TELETYPE);
+			_decryption_private_key->SetFont (font);
+			s->Add (_decryption_private_key, 1, wxLEFT | wxRIGHT | wxALIGN_CENTER_VERTICAL, DCPOMATIC_SIZER_X_GAP);
+			_load_decryption_private_key = new wxButton (_panel, wxID_ANY, _("Load..."));
+			s->Add (_load_decryption_private_key, 0, wxLEFT, DCPOMATIC_SIZER_X_GAP);
+			table->Add (s, 0);
+		}
+		
+		_add_certificate->Bind (wxEVT_COMMAND_BUTTON_CLICKED, boost::bind (&KeysPage::add_certificate, this));
+		_remove_certificate->Bind (wxEVT_COMMAND_BUTTON_CLICKED, boost::bind (&KeysPage::remove_certificate, this));
+		_certificates->Bind (wxEVT_COMMAND_LIST_ITEM_SELECTED, boost::bind (&KeysPage::update_sensitivity, this));
+		_certificates->Bind (wxEVT_COMMAND_LIST_ITEM_DESELECTED, boost::bind (&KeysPage::update_sensitivity, this));
+		_load_signer_private_key->Bind (wxEVT_COMMAND_BUTTON_CLICKED, boost::bind (&KeysPage::load_signer_private_key, this));
+		_load_decryption_certificate->Bind (wxEVT_COMMAND_BUTTON_CLICKED, boost::bind (&KeysPage::load_decryption_certificate, this));
+		_load_decryption_private_key->Bind (wxEVT_COMMAND_BUTTON_CLICKED, boost::bind (&KeysPage::load_decryption_private_key, this));
+
+		_signer.reset (new dcp::Signer (*Config::instance()->signer().get ()));
+
+		update_certificate_list ();
+		update_signer_private_key ();
+		update_decryption_certificate ();
+		update_decryption_private_key ();
+		update_sensitivity ();
+
+		return _panel;
+	}
+
+private:
+	void add_certificate ()
+	{
+		wxFileDialog* d = new wxFileDialog (_panel, _("Select Certificate File"));
+		
+		if (d->ShowModal() == wxID_OK) {
+			try {
+				shared_ptr<dcp::Certificate> c (new dcp::Certificate (dcp::file_to_string (wx_to_std (d->GetPath ()))));
+				_signer->certificates().add (c);
+				Config::instance()->set_signer (_signer);
+				update_certificate_list ();
+			} catch (dcp::MiscError& e) {
+				error_dialog (_panel, wxString::Format (_("Could not read certificate file (%s)"), e.what ()));
+			}
+		}
+		
+		d->Destroy ();
+
+		update_sensitivity ();
+	}
+
+	void remove_certificate ()
+	{
+		int i = _certificates->GetNextItem (-1, wxLIST_NEXT_ALL, wxLIST_STATE_SELECTED);
+		if (i == -1) {
+			return;
+		}
+		
+		_certificates->DeleteItem (i);
+		_signer->certificates().remove (i);
+		Config::instance()->set_signer (_signer);
+
+		update_sensitivity ();
+	}
+
+	void update_certificate_list ()
+	{
+		_certificates->DeleteAllItems ();
+		dcp::CertificateChain::List certs = _signer->certificates().root_to_leaf ();
+		size_t n = 0;
+		for (dcp::CertificateChain::List::const_iterator i = certs.begin(); i != certs.end(); ++i) {
+			wxListItem item;
+			item.SetId (n);
+			_certificates->InsertItem (item);
+			_certificates->SetItem (n, 1, std_to_wx ((*i)->thumbprint ()));
+
+			if (n == 0) {
+				_certificates->SetItem (n, 0, _("Root"));
+			} else if (n == (certs.size() - 1)) {
+				_certificates->SetItem (n, 0, _("Leaf"));
+			} else {
+				_certificates->SetItem (n, 0, _("Intermediate"));
+			}
+
+			++n;
+		}
+	}
+
+	void update_sensitivity ()
+	{
+		_remove_certificate->Enable (_certificates->GetNextItem (-1, wxLIST_NEXT_ALL, wxLIST_STATE_SELECTED) != -1);
+	}
+
+	void update_signer_private_key ()
+	{
+		_signer_private_key->SetLabel (std_to_wx (dcp::private_key_fingerprint (_signer->key ())));
+	}	
+
+	void load_signer_private_key ()
+	{
+		wxFileDialog* d = new wxFileDialog (_panel, _("Select Key File"));
+
+		if (d->ShowModal() == wxID_OK) {
+			try {
+				boost::filesystem::path p (wx_to_std (d->GetPath ()));
+				if (boost::filesystem::file_size (p) > 1024) {
+					error_dialog (_panel, wxString::Format (_("Could not read key file (%s)"), std_to_wx (p.string ())));
+					return;
+				}
+				
+				_signer->set_key (dcp::file_to_string (p));
+				Config::instance()->set_signer (_signer);
+				update_signer_private_key ();
+			} catch (dcp::MiscError& e) {
+				error_dialog (_panel, wxString::Format (_("Could not read certificate file (%s)"), e.what ()));
+			}
+		}
+		
+		d->Destroy ();
+
+		update_sensitivity ();
+
+	}
+
+	void load_decryption_certificate ()
+	{
+		wxFileDialog* d = new wxFileDialog (_panel, _("Select Certificate File"));
+		
+		if (d->ShowModal() == wxID_OK) {
+			try {
+				dcp::Certificate c (dcp::file_to_string (wx_to_std (d->GetPath ())));
+				Config::instance()->set_decryption_certificate (c);
+				update_decryption_certificate ();
+			} catch (dcp::MiscError& e) {
+				error_dialog (_panel, wxString::Format (_("Could not read certificate file (%s)"), e.what ()));
+			}
+		}
+		
+		d->Destroy ();
+	}
+
+	void update_decryption_certificate ()
+	{
+		_decryption_certificate->SetLabel (std_to_wx (Config::instance()->decryption_certificate().thumbprint ()));
+	}
+
+	void load_decryption_private_key ()
+	{
+		wxFileDialog* d = new wxFileDialog (_panel, _("Select Key File"));
+
+		if (d->ShowModal() == wxID_OK) {
+			try {
+				boost::filesystem::path p (wx_to_std (d->GetPath ()));
+				Config::instance()->set_decryption_private_key (dcp::file_to_string (p));
+				update_decryption_private_key ();
+			} catch (dcp::MiscError& e) {
+				error_dialog (_panel, wxString::Format (_("Could not read key file (%s)"), e.what ()));
+			}
+		}
+		
+		d->Destroy ();
+	}
+
+	void update_decryption_private_key ()
+	{
+		_decryption_private_key->SetLabel (std_to_wx (dcp::private_key_fingerprint (Config::instance()->decryption_private_key())));
+	}
+
+	wxPanel* _panel;
+	wxListCtrl* _certificates;
+	wxButton* _add_certificate;
+	wxButton* _remove_certificate;
+	wxStaticText* _signer_private_key;
+	wxButton* _load_signer_private_key;
+	wxStaticText* _decryption_certificate;
+	wxButton* _load_decryption_certificate;
+	wxStaticText* _decryption_private_key;
+	wxButton* _load_decryption_private_key;
+	shared_ptr<dcp::Signer> _signer;
+};
+
 class TMSPage : public wxPreferencesPage, public Page
 {
 public:
@@ -901,6 +1181,7 @@ create_config_dialog ()
 	e->AddPage (new DefaultsPage (ps, border));
 	e->AddPage (new EncodingServersPage (ps, border));
 	e->AddPage (new ColourConversionsPage (ps, border));
+	e->AddPage (new KeysPage (ps, border));
 	e->AddPage (new TMSPage (ps, border));
 	e->AddPage (new KDMEmailPage (ps, border));
 	e->AddPage (new AdvancedPage (ps, border));
diff --git a/src/wx/editable_list.h b/src/wx/editable_list.h
index 470be2d09..a282bba69 100644
--- a/src/wx/editable_list.h
+++ b/src/wx/editable_list.h
@@ -43,7 +43,7 @@ public:
 
 		wxFlexGridSizer* table = new wxFlexGridSizer (2, DCPOMATIC_SIZER_X_GAP, DCPOMATIC_SIZER_Y_GAP);
 		table->AddGrowableCol (0, 1);
-		s->Add (table, 1, wxALL | wxEXPAND, 8);
+		s->Add (table, 1, wxEXPAND);
 
 		_list = new wxListCtrl (this, wxID_ANY, wxDefaultPosition, wxSize (columns.size() * 200, height), wxLC_REPORT | wxLC_SINGLE_SEL);
 
diff --git a/src/wx/screen_dialog.cc b/src/wx/screen_dialog.cc
index 6b58145eb..10650263b 100644
--- a/src/wx/screen_dialog.cc
+++ b/src/wx/screen_dialog.cc
@@ -89,7 +89,7 @@ void
 ScreenDialog::load_certificate (boost::filesystem::path file)
 {
 	try {
-		_certificate.reset (new dcp::Certificate (file));
+		_certificate.reset (new dcp::Certificate (dcp::file_to_string (file)));
 		_certificate_text->SetValue (_certificate->certificate ());
 	} catch (dcp::MiscError& e) {
 		error_dialog (this, wxString::Format (_("Could not read certificate file (%s)"), e.what()));