Store not_valid_{before,after} when reading encrypted KDMs.

4 files changed, 55 insertions, 0 deletions

diff --git a/scripts/remake-test-certificates b/scripts/remake-test-certificates
new file mode 100755
index 00000000..2385ccd1
--- /dev/null
+++ b/scripts/remake-test-certificates
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+DCT=$HOME/src/digital_cinema_tools
+PRIVATE=$HOME/src/libdcp-test-private
+
+mkdir work
+cd work
+
+$DCT/make-dc-certificate-chain.rb
+CINEMACERTSTORE=. $DCT/cinemaslides --kdm \
+	--cpl $PRIVATE/TONEPLATES-SMPTE-ENCRYPTED_TST_F_XX-XX_ITL-TD_51-XX_2K_WOE_20111001_WOE_OV/cpl_eece17de-77e8-4a55-9347-b6bab5724b9f_.xml \
+	--target leaf.signed.pem \
+	--keysdir $DCT/encryption/content_keys \
+	--formulation modified-transitional-1 \
+	--start 8
+
+mv kdm_*.xml ../../test/data/kdm_TONEPLATES-SMPTE-ENC_.smpte-430-2.ROOT.NOT_FOR_PRODUCTION_20130706_20230702_CAR_OV_t1_8971c838.xml
+mv dc-certificate-chain ../../test/data/certificate_chain
+mv leaf.key ../../test/data/private.key
+
+cd ..
+rm -rf work
+
diff --git a/src/decrypted_kdm.cc b/src/decrypted_kdm.cc
index 592ab717..bdf7ec9d 100644
--- a/src/decrypted_kdm.cc
+++ b/src/decrypted_kdm.cc
@@ -156,6 +156,8 @@ DecryptedKDM::DecryptedKDM (EncryptedKDM const & kdm, string private_key)
 
 	/* Use the private key to decrypt the keys */
 
+	bool first = true;
+
 	for (auto const& i: kdm.keys()) {
 		/* Decode the base-64-encoded cipher value from the KDM */
 		unsigned char cipher_value[256];
@@ -173,6 +175,9 @@ DecryptedKDM::DecryptedKDM (EncryptedKDM const & kdm, string private_key)
 #endif
 		}
 
+		dcp::LocalTime not_valid_before;
+		dcp::LocalTime not_valid_after;
+
 		unsigned char* p = decrypted;
 		switch (decrypted_len) {
 		case 134:
@@ -187,8 +192,10 @@ DecryptedKDM::DecryptedKDM (EncryptedKDM const & kdm, string private_key)
 			/* 52 is key id [16 bytes] */
 			string const key_id = get_uuid (&p);
 			/* 68 is not-valid-before (a string) [25 bytes] */
+			not_valid_before = dcp::LocalTime(std::string(reinterpret_cast<char*>(p), 25));
 			p += 25;
 			/* 93 is not-valid-after (a string) [25 bytes] */
+			not_valid_after = dcp::LocalTime(std::string(reinterpret_cast<char*>(p), 25));
 			p += 25;
 			/* 118 is the key [ASDCP::KeyLen bytes] */
 			add_key (optional<string>(), key_id, Key(p), cpl_id, Standard::INTEROP);
@@ -209,8 +216,10 @@ DecryptedKDM::DecryptedKDM (EncryptedKDM const & kdm, string private_key)
 			/* 56 is key id [16 bytes] */
 			string const key_id = get_uuid (&p);
 			/* 72 is not-valid-before (a string) [25 bytes] */
+			not_valid_before = dcp::LocalTime(std::string(reinterpret_cast<char*>(p), 25));
 			p += 25;
 			/* 97 is not-valid-after (a string) [25 bytes] */
+			not_valid_after = dcp::LocalTime(std::string(reinterpret_cast<char*>(p), 25));
 			p += 25;
 			/* 112 is the key [ASDCP::KeyLen bytes] */
 			add_key (key_type, key_id, Key(p), cpl_id, Standard::SMPTE);
@@ -221,6 +230,16 @@ DecryptedKDM::DecryptedKDM (EncryptedKDM const & kdm, string private_key)
 		}
 
 		delete[] decrypted;
+
+		if (first) {
+			_not_valid_before = not_valid_before;
+			_not_valid_after = not_valid_after;
+			first = false;
+		} else {
+			if (not_valid_before != _not_valid_before || not_valid_after != _not_valid_after) {
+				throw InconsistentValidityPeriodError();
+			}
+		}
 	}
 
 	RSA_free (rsa);
diff --git a/src/exceptions.cc b/src/exceptions.cc
index 00627de8..96a9a696 100644
--- a/src/exceptions.cc
+++ b/src/exceptions.cc
@@ -198,3 +198,10 @@ MissingAssetmapError::MissingAssetmapError (boost::filesystem::path dir)
 
 }
 
+
+InconsistentValidityPeriodError::InconsistentValidityPeriodError()
+	: runtime_error("KDM contains keys with different validity periods")
+{
+
+}
+
diff --git a/src/exceptions.h b/src/exceptions.h
index 78d0943e..99e55b28 100644
--- a/src/exceptions.h
+++ b/src/exceptions.h
@@ -317,6 +317,12 @@ public:
 };
 
 
+class InconsistentValidityPeriodError : public std::runtime_error
+{
+public:
+	InconsistentValidityPeriodError();
+};
+
 }