From e134af0bdfcd5197ea236f835dece0521ebf6b2e Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Tue, 28 Oct 2025 23:10:45 +0100
Subject: Fix decryption import code to work with PKCS1 and PKCS8 formats.

PKCS1 uses
BEGIN RSA PRIVATE KEY
but PKCS8 has only
BEGIN PRIVATE KEY
---
 src/lib/export_decryption_settings.cc   |  4 ++--
 test/data                               |  2 +-
 test/export_decryption_settings_test.cc | 41 +++++++++++++++++++++++++++++++++
 test/wscript                            |  1 +
 4 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 test/export_decryption_settings_test.cc

diff --git a/src/lib/export_decryption_settings.cc b/src/lib/export_decryption_settings.cc
index 1ba791251..13c6bda28 100644
--- a/src/lib/export_decryption_settings.cc
+++ b/src/lib/export_decryption_settings.cc
@@ -65,10 +65,10 @@ import_decryption_chain_and_key(boost::filesystem::path const& path)
 		}
 		current += buffer;
 
-		if (strncmp(buffer, "-----END CERTIFICATE-----", 25) == 0) {
+		if (current.find("-----END CERTIFICATE-----") != string::npos) {
 			new_chain->add(dcp::Certificate(current));
 			current = "";
-		} else if (strncmp(buffer, "-----END RSA PRIVATE KEY-----", 29) == 0) {
+		} else if (current.find("-----END") != string::npos && current.find("PRIVATE KEY-----", 29) != string::npos) {
 			new_chain->set_key(current);
 			current = "";
 		}
diff --git a/test/data b/test/data
index 67e713cb1..024cb24f4 160000
--- a/test/data
+++ b/test/data
@@ -1 +1 @@
-Subproject commit 67e713cb1b06dede9cd0e972c6e1a0202b6a8352
+Subproject commit 024cb24f49525e0cc172d4e91d75e0c4d81ef6ed
diff --git a/test/export_decryption_settings_test.cc b/test/export_decryption_settings_test.cc
new file mode 100644
index 000000000..b7b685827
--- /dev/null
+++ b/test/export_decryption_settings_test.cc
@@ -0,0 +1,41 @@
+/*
+    Copyright (C) 2025 Carl Hetherington <cth@carlh.net>
+
+    This file is part of DCP-o-matic.
+
+    DCP-o-matic is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    DCP-o-matic is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with DCP-o-matic.  If not, see <http://www.gnu.org/licenses/>.
+
+*/
+
+
+#include "lib/config.h"
+#include "lib/export_decryption_settings.h"
+#include <boost/test/unit_test.hpp>
+
+
+BOOST_AUTO_TEST_CASE(test_export_decryption_settings)
+{
+	export_decryption_chain_and_key(Config::instance()->decryption_chain(), "build/test/foo.dom");
+	auto test = import_decryption_chain_and_key("build/test/foo.dom");
+
+	BOOST_REQUIRE(Config::instance()->decryption_chain()->root_to_leaf() == test->root_to_leaf());
+	BOOST_REQUIRE(Config::instance()->decryption_chain()->key() == test->key());
+}
+
+
+BOOST_AUTO_TEST_CASE(test_import_pkcs8_settings)
+{
+	BOOST_CHECK(import_decryption_chain_and_key("test/data/pkcs8_state.dom"));
+}
+
diff --git a/test/wscript b/test/wscript
index 50c86751f..1390beebb 100644
--- a/test/wscript
+++ b/test/wscript
@@ -90,6 +90,7 @@ def build(bld):
                  empty_test.cc
                  encode_cli_test.cc
                  encryption_test.cc
+                 export_decryption_settings_test.cc
                  file_extension_test.cc
                  ffmpeg_audio_only_test.cc
                  ffmpeg_audio_test.cc
-- 
cgit v1.2.3