Use openssl's base-64 decoding for KDMs.

9 files changed, 360 insertions, 11 deletions

diff --git a/src/kdm.cc b/src/kdm.cc
index 95c293c3..6936bc1e 100644
--- a/src/kdm.cc
+++ b/src/kdm.cc
@@ -18,11 +18,14 @@
 */
 
 #include <iomanip>
+#include <boost/algorithm/string.hpp>
 #include <openssl/rsa.h>
 #include <openssl/pem.h>
+#include <openssl/err.h>
 #include <libcxml/cxml.h>
-#include "KM_util.h"
+#include "util.h"
 #include "kdm.h"
+#include "compose.hpp"
 #include "exceptions.h"
 
 using std::list;
@@ -31,6 +34,7 @@ using std::stringstream;
 using std::hex;
 using std::setw;
 using std::setfill;
+using std::cout;
 using boost::shared_ptr;
 using namespace libdcp;
 
@@ -65,18 +69,18 @@ KDM::KDM (boost::filesystem::path kdm, boost::filesystem::path private_key)
 
 		/* Decode it from base-64 */
 		unsigned char cipher_value[256];
-		ui32_t cipher_value_len;
-		if (Kumu::base64decode (cipher_value_base64->content().c_str(), cipher_value, sizeof (cipher_value), &cipher_value_len)) {
-			RSA_free (rsa);
-			throw MiscError ("could not base-64-decode CipherValue from KDM");
-		}
+		int const cipher_value_len = base64_decode (cipher_value_base64->content(), cipher_value, sizeof (cipher_value));
 
 		/* Decrypt it */
-		unsigned char decrypted[2048];
-		unsigned int const decrypted_len = RSA_private_decrypt (cipher_value_len, cipher_value, decrypted, rsa, RSA_PKCS1_OAEP_PADDING);
-		assert (decrypted_len < sizeof (decrypted));
+		unsigned char* decrypted = new unsigned char[RSA_size(rsa)];
+		int const decrypted_len = RSA_private_decrypt (cipher_value_len, cipher_value, decrypted, rsa, RSA_PKCS1_OAEP_PADDING);
+		if (decrypted_len == -1) {
+			delete[] decrypted;
+			throw MiscError (String::compose ("Could not decrypt KDM (%1)", ERR_error_string (ERR_get_error(), 0)));
+		}
 
 		_ciphers.push_back (KDMCipher (decrypted, decrypted_len));
+		delete[] decrypted;
 	}
 
 	RSA_free (rsa);
diff --git a/src/util.cc b/src/util.cc
index e909e3cb..18fa1b17 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -405,3 +405,30 @@ bool libdcp::operator!= (libdcp::Size const & a, libdcp::Size const & b)
 	return !(a == b);
 }
 
+/** The base64 decode routine in KM_util.cpp gives different values to both
+ *  this and the command-line base64 for some inputs.  Not sure why.
+ */
+int
+libdcp::base64_decode (string const & in, unsigned char* out, int out_length)
+{
+	BIO* b64 = BIO_new (BIO_f_base64 ());
+
+	/* This means the input should have no newlines */
+	BIO_set_flags (b64, BIO_FLAGS_BASE64_NO_NL);
+
+	/* Copy our input string, removing newlines */
+	char in_buffer[in.size() + 1];
+	char* p = in_buffer;
+	for (size_t i = 0; i < in.size(); ++i) {
+		if (in[i] != '\n' && in[i] != '\r') {
+			*p++ = in[i];
+		}
+	}
+		
+	BIO* bmem = BIO_new_mem_buf (in_buffer, p - in_buffer);
+	bmem = BIO_push (b64, bmem);
+	int const N = BIO_read (bmem, out, out_length);
+	BIO_free_all (bmem);
+
+	return N;
+}
diff --git a/src/util.h b/src/util.h
index 8b5f76bb..fab7bd37 100644
--- a/src/util.h
+++ b/src/util.h
@@ -72,7 +72,9 @@ extern void init ();
 extern void sign (xmlpp::Element* parent, CertificateChain const & certificates, std::string const & signer_key);
 extern void add_signature_value (xmlpp::Element* parent, CertificateChain const & certificates, std::string const & signer_key, std::string const & ns);
 extern void add_signer (xmlpp::Element* parent, CertificateChain const & certificates, std::string const & ns);
-	
+
+extern int base64_decode (std::string const & in, unsigned char* out, int out_length);
+
 }
 
 #endif
diff --git a/test/data/base64_test b/test/data/base64_test
new file mode 100644
index 00000000..90c461c6
--- /dev/null
+++ b/test/data/base64_test
@@ -0,0 +1,6 @@
+EXpqcbsbZiXsHV/hD9RGlk6xk9hJ3or98MWVwDojHhmkgAhq5294msu3TjfdCz9LAcUCJMB88QNC
+3lQdM+vHzY7gmQi6Ymnww9Gvfm/xbFVLmJd7dJHmBavb6+OnfZ38OK9wamVgH7Me+qqvRZj3eoqT
+2pW6QVQmtvVkMXzNDW6FHtVu5UwsWwt6RTFRp+8v/M/6LD8koNw0PIyAIfENEKQkoENbBiomHtDC
+vzlegK9k23n00sRgGCwK7BEIU+s4C/x1ySxaIneqb4F50oMtxJtRN50UNLVMDao7POpTFI/ryxSJ
+UbwNSlxaKFHQQ3OAKpD+7Vzj73DV/kJLbwgHWw==
+
diff --git a/test/data/target.pem.crt.de5d4eba-e683-41ca-bdda-aa4ad96af3f4.kdm.xml b/test/data/target.pem.crt.de5d4eba-e683-41ca-bdda-aa4ad96af3f4.kdm.xml
new file mode 100644
index 00000000..7ea2c6d2
--- /dev/null
+++ b/test/data/target.pem.crt.de5d4eba-e683-41ca-bdda-aa4ad96af3f4.kdm.xml
@@ -0,0 +1,245 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<DCinemaSecurityMessage xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" xmlns:kdm="http://www.smpte-ra.org/schemas/430-1/2006/KDM" xmlns="http://www.smpte-ra.org/schemas/430-3/2006/ETM">
+  <!--WARNING! DO NOT EDIT THIS FILE OR OTHERWISE PROBLEMS MAY OCCUR DURING INGEST OR PLAYBACK!-->
+  <!--Created by Fraunhofer IIS easyDCP Creator Version 2.1.3-->
+  <AuthenticatedPublic Id="ID_AuthenticatedPublic">
+    <MessageId>urn:uuid:de5d4eba-e683-41ca-bdda-aa4ad96af3f4</MessageId>
+    <MessageType>http://www.smpte-ra.org/430-1/2006/KDM#kdm-key-type</MessageType>
+    <AnnotationText>PAUL-BOWLES_TLR_F_EN-DE_CH_51_2K_LOK_20130301_DGL_OV</AnnotationText>
+    <IssueDate>2013-07-08T07:13:26+02:00</IssueDate>
+    <Signer>
+      <ds:X509IssuerName>dnQualifier=w1KRD/ugKFdJLb0S8PyfuNZBDcM=,CN=.EASYDCP-CREATOR.DCINEMA.FRAUNHOFER.DE,OU=.DCINEMA.FRAUNHOFER.DE,O=.DCINEMA.FRAUNHOFER.DE</ds:X509IssuerName>
+      <ds:X509SerialNumber>681</ds:X509SerialNumber>
+    </Signer>
+    <RequiredExtensions>
+      <KDMRequiredExtensions xmlns="http://www.smpte-ra.org/schemas/430-1/2006/KDM">
+        <Recipient>
+          <X509IssuerSerial>
+            <ds:X509IssuerName>dnQualifier=L7hRU1k0AaJM23TJg2PYWmflEVk=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org</ds:X509IssuerName>
+            <ds:X509SerialNumber>5</ds:X509SerialNumber>
+          </X509IssuerSerial>
+          <X509SubjectName>dnQualifier=L7hRU1k0AaJM23TJg2PYWmflEVk=,CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION,OU=example.org,O=example.org</X509SubjectName>
+        </Recipient>
+        <CompositionPlaylistId>urn:uuid:1296643f-e0ba-438e-bcfa-e47852173d5b</CompositionPlaylistId>
+        <ContentTitleText>PAUL-BOWLES_TLR_F_EN-DE_CH_51_2K_LOK_20130301_DGL_OV</ContentTitleText>
+        <ContentKeysNotValidBefore>2013-07-08T07:13:26+02:00</ContentKeysNotValidBefore>
+        <ContentKeysNotValidAfter>2023-07-04T22:04:56+02:00</ContentKeysNotValidAfter>
+        <AuthorizedDeviceInfo>
+          <DeviceListIdentifier>urn:uuid:ba624ff9-0667-44cd-beaa-5b2dc81e57ee</DeviceListIdentifier>
+          <DeviceListDescription>Assume Trust TDL</DeviceListDescription>
+          <DeviceList>
+            <CertificateThumbprint>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</CertificateThumbprint>
+          </DeviceList>
+        </AuthorizedDeviceInfo>
+        <KeyIdList>
+          <TypedKeyId>
+            <KeyType>MDIK</KeyType>
+            <KeyId>urn:uuid:0e947ded-917f-4841-9f9b-3d2bdd98b39e</KeyId>
+          </TypedKeyId>
+          <TypedKeyId>
+            <KeyType>MDAK</KeyType>
+            <KeyId>urn:uuid:bce11ede-88d6-419f-b736-961745c0905a</KeyId>
+          </TypedKeyId>
+          <TypedKeyId>
+            <KeyType>MDIK</KeyType>
+            <KeyId>urn:uuid:8edcad52-b7b1-4db7-b65f-7d2ef29cb97a</KeyId>
+          </TypedKeyId>
+          <TypedKeyId>
+            <KeyType>MDAK</KeyType>
+            <KeyId>urn:uuid:6b699446-ca2b-4548-bf4c-5abf8320781f</KeyId>
+          </TypedKeyId>
+        </KeyIdList>
+      </KDMRequiredExtensions>
+    </RequiredExtensions>
+    <NonCriticalExtensions/>
+  </AuthenticatedPublic>
+  <AuthenticatedPrivate Id="ID_AuthenticatedPrivate">
+    <enc:EncryptedKey>
+      <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+      <enc:CipherData>
+        <enc:CipherValue>EXpqcbsbZiXsHV/hD9RGlk6xk9hJ3or98MWVwDojHhmkgAhq5294msu3TjfdCz9LAcUCJMB88QNC
+3lQdM+vHzY7gmQi6Ymnww9Gvfm/xbFVLmJd7dJHmBavb6+OnfZ38OK9wamVgH7Me+qqvRZj3eoqT
+2pW6QVQmtvVkMXzNDW6FHtVu5UwsWwt6RTFRp+8v/M/6LD8koNw0PIyAIfENEKQkoENbBiomHtDC
+vzlegK9k23n00sRgGCwK7BEIU+s4C/x1ySxaIneqb4F50oMtxJtRN50UNLVMDao7POpTFI/ryxSJ
+UbwNSlxaKFHQQ3OAKpD+7Vzj73DV/kJLbwgHWw==</enc:CipherValue>
+      </enc:CipherData>
+    </enc:EncryptedKey>
+    <enc:EncryptedKey>
+      <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+      <enc:CipherData>
+        <enc:CipherValue>ouGwhQtlrP4rYLPhC5SFQ6hUB3/AdHCeNh9xVHNN8oDhhuCRzn5t9QTWzsm6IRufhkkh/ofXa/YH
+3/zvZcjlGtudYDUJa7ZViT1309PsGC/1I8E5inJv4DKXW/Xo4hqIiNl7ht64Oet0H+MIUCcacEEh
+X51UwMFVHxV+wQ2KZWA2ab3R4210k2My5QFiMYMuycIrY/218wSRROdxfKgIO2X7E+8otpyU1Xzn
+nmazdEsnLlcZ14ds5VdKLdErSpI+4DAzOM7lo+5YoXlpHokbbacxoqdsPlst3ZMGACf0tk2E9Gh5
+s4gr8HNSTA6ovzNjYD0/uoXAz8zHIfB/y/+aFg==</enc:CipherValue>
+      </enc:CipherData>
+    </enc:EncryptedKey>
+    <enc:EncryptedKey>
+      <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+      <enc:CipherData>
+        <enc:CipherValue>GrcYZBelAhKX0tKBS5IX67o/Q7lumVIBnEYwu+MNGqfB1iBPUGl3DG7DrcmS7W6WpFERwYoFOYxP
+Uzs3V0eqdxghNMrVi8UcBknDp+5IqYJnVP7Ia7ja5VdxkDDXpIMGLvx+Tdx4n90TklxNnug9BuuO
+0Q9EDNZboZM6LkAdEYkgiQfOYiXpsxcyYVUogFMm9xwVXrQEn/ppEh7b0ybkB2eg+A6sfYa32wry
+/FfdkgwrZI7kJIzwrC5F8PralLKDC8nz07CUCgHSrAHctcQzh6NT0zyI8fdKG9NpIGzF2B8/jaNz
+Wy2smHRjatYgSdgazfJmqCjkyZE0ZkeIuOuolA==</enc:CipherValue>
+      </enc:CipherData>
+    </enc:EncryptedKey>
+    <enc:EncryptedKey>
+      <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
+      <enc:CipherData>
+        <enc:CipherValue>b3Z4bLZRh78p+dFugbE9UJWIZndhysC8lfZrSf0XmaY6bKQ02RlnrWHVb7IU6pRkmxqwS1h1M4O0
++EakwVq5g199P4XvItQgDM9rsg0n/+zu/UUPrKCe7659PIo04pIqZvBJwcdm58NoUKuN1ugjXoSP
+kwsesHUwA4wLce10ruNkvt2VGiWqXYzg0aF6lOgh3rb/wvQejDGbYsMGQEOf0lalarAq/kS+ADXk
+A3Gg+PYSS1k8o2jc9S1PXcVVFA9fvR/1RCUu0b6+Ha1J1NJSTAHhR6Q5uEhmc03RR8Rr79a+eQVA
+4OIvYnUHBGWb0GlDqF71PtI3YtwFbhtQT9UTyA==</enc:CipherValue>
+      </enc:CipherData>
+    </enc:EncryptedKey>
+  </AuthenticatedPrivate>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#ID_AuthenticatedPublic">
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>ywDjAo/NpzlB/lRbWNO8N7/t/oMEhzZa7CPVZy/68bo=</ds:DigestValue>
+      </ds:Reference>
+      <ds:Reference URI="#ID_AuthenticatedPrivate">
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue>6h/KsTy9y+qciUg47YhuEc6SathnifWU6HRYcxZe7Ys=</ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>QOX20GqmWMleJsgvops3BSgGl7WTrw/1jc+vLE3t/vXW5K2cyJPaLFr6cKWGkB24
+T6LzDh0K9RpNnf3uHvRsw6K6HE5eBJoPe6YYPKrmrXk4P5AZv2X9CnGhiW8btfIp
+UqHIQrqKEhYofrEOYJY6SzYLt8er2NfP4ZZuZPvNMN3czMe5rdfWCOIOkCpr1YW1
+hJu8t6atjPwkTccKQ1pPBTDp0YKyOzo33gb0pFZXK7lr4LYMPFsV7OYNHK8MghbS
+iVfpHSHzfqHnoFRIYQAHrZi2J9NMX+LcgA+dRwSURLjzg3EP78yyIT1TK+DuyBIJ
+CGzbtVIXhozfgAt3RCBXcw==</ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:X509Data>
+        <ds:X509IssuerSerial>
+          <ds:X509IssuerName>dnQualifier=w1KRD/ugKFdJLb0S8PyfuNZBDcM=,CN=.EASYDCP-CREATOR.DCINEMA.FRAUNHOFER.DE,OU=.DCINEMA.FRAUNHOFER.DE,O=.DCINEMA.FRAUNHOFER.DE</ds:X509IssuerName>
+          <ds:X509SerialNumber>681</ds:X509SerialNumber>
+        </ds:X509IssuerSerial>
+        <ds:X509Certificate>MIIEnzCCA4egAwIBAgICAqkwDQYJKoZIhvcNAQELBQAwgZoxHzAdBgNVBAoTFi5E
+Q0lORU1BLkZSQVVOSE9GRVIuREUxHzAdBgNVBAsTFi5EQ0lORU1BLkZSQVVOSE9G
+RVIuREUxLzAtBgNVBAMTJi5FQVNZRENQLUNSRUFUT1IuRENJTkVNQS5GUkFVTkhP
+RkVSLkRFMSUwIwYDVQQuExx3MUtSRC91Z0tGZEpMYjBTOFB5ZnVOWkJEY009MB4X
+DTEyMDcxNzE0NDEzNFoXDTMxMDYxNDA5NDg1NVowgYMxJTAjBgNVBC4THGliODUw
+T3AxdFZkWTA4a3dIZmQxVEQyd04vWT0xGDAWBgNVBAMTD0NTLkRJQUdPTkFMLkNP
+TTEfMB0GA1UECxMWLkRDSU5FTUEuRlJBVU5IT0ZFUi5ERTEfMB0GA1UEChMWLkRD
+SU5FTUEuRlJBVU5IT0ZFUi5ERTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBANaZwx7PMFtn1PNe9H60xfDVZ1oK9gMzLQxSb8T4eFZDEWVf4Xr4ukLSro16
+ADGvNn1HZIIy6gMlQACBwGVW3jY+siS+/QeYVO1nns0BtFYmDlrOdOdJarVrkB1e
+PAdYqrvG5vwba0Y7+eISqqfo+/zsLl5/dehYgcMS1dh3vsqWM1G36v7/uAg+i3Zj
+YYC5A1EfZ2xvZkalm+KJNOUltDHBwb5imu+/qa4FKRs+h77g6yGTY4yMtJ3jdoQu
+d7iDSL2hfTybPpjUwGqZeiAKhGKybHVaXmiTWdHPXFb4Lm3gyCU1eGNoxQxRjkqp
+jyzL0ojyrmWuDgyGMSM4Z0T/QPkCAwEAAaOCAQIwgf8wDwYDVR0TAQH/BAUwAwIB
+ADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFIm/OdDqdbVXWNPJMB33dUw9sDf2MIG/
+BgNVHSMEgbcwgbSAFMNSkQ/7oChXSS29EvD8n7jWQQ3DoYGYpIGVMIGSMR8wHQYD
+VQQKExYuRENJTkVNQS5GUkFVTkhPRkVSLkRFMR8wHQYDVQQLExYuRENJTkVNQS5G
+UkFVTkhPRkVSLkRFMScwJQYDVQQDEx4uRUFTWURDUC5EQ0lORU1BLkZSQVVOSE9G
+RVIuREUxJTAjBgNVBC4THFhiZEgyS3F0TXQzQ3EwNzZudzlGaDc4bURIST2CARQw
+DQYJKoZIhvcNAQELBQADggEBADvcdrlUzCt3ZFlY/YaBGKMHjceVNZonhJKCFfLK
+h/uTyOCSfFqFW9S1Li2zPm78hnDEZlplMdNweiIZarz4ZuCGfqn2wB7LcORTK0sO
+tIaHAmzGtCTwxLAcRhGil8fgbbm6fvZT/rkwTFRYrzgC49CAB+qmpYdQYMjWZoS3
+9+lVRenq1c3rhVgm4s3Kw6rrcqbxs8LZ36OOghsYaks19XdQwTxd+g06Z8T1c2nc
+AfhaG5V0MAmI4TK1Cbkt2d/6ZxLBlmg18W1P3O/q2KE/mjzWjE2vRx7YZmmT7qFE
+/qcDqMNku+nTBu9CG6qJzJNVYMW5aPJUYT7dfiV4nt7hCXQ=</ds:X509Certificate>
+      </ds:X509Data>
+      <ds:X509Data>
+        <ds:X509IssuerSerial>
+          <ds:X509IssuerName>dnQualifier=XbdH2KqtMt3Cq076nw9Fh78mDHI=,CN=.EASYDCP.DCINEMA.FRAUNHOFER.DE,OU=.DCINEMA.FRAUNHOFER.DE,O=.DCINEMA.FRAUNHOFER.DE</ds:X509IssuerName>
+          <ds:X509SerialNumber>20</ds:X509SerialNumber>
+        </ds:X509IssuerSerial>
+        <ds:X509Certificate>MIIErTCCA5WgAwIBAgIBFDANBgkqhkiG9w0BAQsFADCBkjEfMB0GA1UEChMWLkRD
+SU5FTUEuRlJBVU5IT0ZFUi5ERTEfMB0GA1UECxMWLkRDSU5FTUEuRlJBVU5IT0ZF
+Ui5ERTEnMCUGA1UEAxMeLkVBU1lEQ1AuRENJTkVNQS5GUkFVTkhPRkVSLkRFMSUw
+IwYDVQQuExxYYmRIMktxdE10M0NxMDc2bnc5Rmg3OG1ESEk9MB4XDTExMDYyMTA5
+NDg1NVoXDTMxMDYxNTA5NDg1NVowgZoxHzAdBgNVBAoTFi5EQ0lORU1BLkZSQVVO
+SE9GRVIuREUxHzAdBgNVBAsTFi5EQ0lORU1BLkZSQVVOSE9GRVIuREUxLzAtBgNV
+BAMTJi5FQVNZRENQLUNSRUFUT1IuRENJTkVNQS5GUkFVTkhPRkVSLkRFMSUwIwYD
+VQQuExx3MUtSRC91Z0tGZEpMYjBTOFB5ZnVOWkJEY009MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAkynSqW0MJZIxpAgAAr8v4SScjKSzmhw4zkpn/R2R
+4nJlHsAXD5aQ3lFsrF3E/pvs872YRuH3MaiEfAWNZ1YGIYoRRdExvnsDQNftGdqU
+6peGIQl2Hh39KSPIk7BimTFz2AH/duw9qVIo/gmaaBVpe51Yj7dQxSKpFcx665wm
+82ADJibKT5LZ1EzScx7+vU5gAepmcG/BfsjjTrV5nQwZBlixZl9q7yjSfk7/acBC
+g3d32AIDP9jzS5aqqG7ba+6HS9SB7dCH957uC9uyZSqfh9tM+gaH+XKDaxjUxQ4F
+kIkrr2/ulgj3B6HwmZcQgvT6p3666rCWpfjF971eIywydwIDAQABo4IBAjCB/zAS
+BgNVHRMBAf8ECDAGAQH/AgEGMAsGA1UdDwQEAwICBDAdBgNVHQ4EFgQUw1KRD/ug
+KFdJLb0S8PyfuNZBDcMwgbwGA1UdIwSBtDCBsYAUXbdH2KqtMt3Cq076nw9Fh78m
+DHKhgZWkgZIwgY8xHzAdBgNVBAoTFi5EQ0lORU1BLkZSQVVOSE9GRVIuREUxHzAd
+BgNVBAsTFi5EQ0lORU1BLkZSQVVOSE9GRVIuREUxJDAiBgNVBAMTGy5ST09ULkRD
+SU5FTUEuRlJBVU5IT0ZFUi5ERTElMCMGA1UELhMcaXdkNVdybXlSdXZMZWdoQXVs
+WHJTa1lrUE1FPYIBETANBgkqhkiG9w0BAQsFAAOCAQEAYHB//pbbJfFv3cNuBkwB
+eUnj80LCYw+CpTVlPaCmwpJRb4Un72S+7cj6oyQrEtLfFxHKQIT8OVtycGtE0R9Q
+D07TSG35V3OZThmCtkpu24vezbdRfH2KwjAEH37ann1Jyyhv4Qc6zFBfIq2WyIYX
+hMcapfJr8nYGm+XwXmV/5AIgYTNT6twpEuCDOgBbDwQTVavPD5ppSPq61swG+P2Q
+oBNVmLF+zNdYaian+Kwh5FDTZHWCktRM+Ij3nBLwYQcWqiCPiLcrhD5hEi+biiSZ
+iNOwzQwECgmE95qFDPRD2iTHJES+xp4YhJgfgDyFHUe9miOVrqm8F0i3HyhcwxMk
+AA==</ds:X509Certificate>
+      </ds:X509Data>
+      <ds:X509Data>
+        <ds:X509IssuerSerial>
+          <ds:X509IssuerName>dnQualifier=iwd5WrmyRuvLeghAulXrSkYkPME=,CN=.ROOT.DCINEMA.FRAUNHOFER.DE,OU=.DCINEMA.FRAUNHOFER.DE,O=.DCINEMA.FRAUNHOFER.DE</ds:X509IssuerName>
+          <ds:X509SerialNumber>17</ds:X509SerialNumber>
+        </ds:X509IssuerSerial>
+        <ds:X509Certificate>MIIEojCCA4qgAwIBAgIBETANBgkqhkiG9w0BAQsFADCBjzEfMB0GA1UEChMWLkRD
+SU5FTUEuRlJBVU5IT0ZFUi5ERTEfMB0GA1UECxMWLkRDSU5FTUEuRlJBVU5IT0ZF
+Ui5ERTEkMCIGA1UEAxMbLlJPT1QuRENJTkVNQS5GUkFVTkhPRkVSLkRFMSUwIwYD
+VQQuExxpd2Q1V3JteVJ1dkxlZ2hBdWxYclNrWWtQTUU9MB4XDTExMDYyMTA5Mjky
+M1oXDTMxMDYxNjA5MjkyM1owgZIxHzAdBgNVBAoTFi5EQ0lORU1BLkZSQVVOSE9G
+RVIuREUxHzAdBgNVBAsTFi5EQ0lORU1BLkZSQVVOSE9GRVIuREUxJzAlBgNVBAMT
+Hi5FQVNZRENQLkRDSU5FTUEuRlJBVU5IT0ZFUi5ERTElMCMGA1UELhMcWGJkSDJL
+cXRNdDNDcTA3Nm53OUZoNzhtREhJPTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKQepptG8GIedG6ZF+JGUTLkZiuccKYqKF8duiVJHQbBsRh5wT8Dj42s
+qz8SLo3quj9uXEI6Pggx3pwUk4hc0pqJBKvfIyi2akHEo7XErVqrDOUszXXd3E/x
+9N+UJla5OEQsh68XiuacTcpJAk9CpSz2/QMDQtRZkEKWsnocM9XXVxNoOSfLyMQO
+JCoQKFGkcHGgFZi+z8EBHoyyE+27ybArmmcLI3ozUnOTVG6ynuXGYQfxOGsFroHj
+qvoOWquu+PIP3VWRya57nQDBgIxxFpHOaCh7wTjC9BFwL3Li7T2RqQnv/+77IrMR
+iLJP6A3hcAaOGD7AzTykn6WCmYMO4xsCAwEAAaOCAQIwgf8wEgYDVR0TAQH/BAgw
+BgEB/wIBBzALBgNVHQ8EBAMCAgQwHQYDVR0OBBYEFF23R9iqrTLdwqtO+p8PRYe/
+JgxyMIG8BgNVHSMEgbQwgbGAFIsHeVq5skbry3oIQLpV60pGJDzBoYGVpIGSMIGP
+MR8wHQYDVQQKExYuRENJTkVNQS5GUkFVTkhPRkVSLkRFMR8wHQYDVQQLExYuRENJ
+TkVNQS5GUkFVTkhPRkVSLkRFMSQwIgYDVQQDExsuUk9PVC5EQ0lORU1BLkZSQVVO
+SE9GRVIuREUxJTAjBgNVBC4THGl3ZDVXcm15UnV2TGVnaEF1bFhyU2tZa1BNRT2C
+AQAwDQYJKoZIhvcNAQELBQADggEBABe5lb8ylTLik3m5RkAKlCv8ujwcN/07Kb8O
+jgM4UaosgoLHxfb2UDKvOP7Bj3AngoKps+o6bjVgVUyHh+1HMTXWQ0WmQBxehxvu
+zDNEn87quCMu/179W9bnTFbN0tW2dtcLmx+stxCfAo4xmXftIQQga8zbxmZEXBM2
+gmHrPzpjTNFpy0RPatUwCUFUCjoXkxyMeuPG/Vc78g3TI9I4SpeapjQd021wYy/M
+xsZc3LlpqHJRRQSSpLgqc2DW4y9d7BMT6PjnNAYh/ieAKfcVLTjpCLnHfgbsOHKk
+smEJ9oI2Mi0NP2f6+iflMMU5IRmGuZ1XYe9NqKL0TYpC/m2ARLA=</ds:X509Certificate>
+      </ds:X509Data>
+      <ds:X509Data>
+        <ds:X509IssuerSerial>
+          <ds:X509IssuerName>dnQualifier=iwd5WrmyRuvLeghAulXrSkYkPME=,CN=.ROOT.DCINEMA.FRAUNHOFER.DE,OU=.DCINEMA.FRAUNHOFER.DE,O=.DCINEMA.FRAUNHOFER.DE</ds:X509IssuerName>
+          <ds:X509SerialNumber>0</ds:X509SerialNumber>
+        </ds:X509IssuerSerial>
+        <ds:X509Certificate>MIIEnzCCA4egAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzEfMB0GA1UEChMWLkRD
+SU5FTUEuRlJBVU5IT0ZFUi5ERTEfMB0GA1UECxMWLkRDSU5FTUEuRlJBVU5IT0ZF
+Ui5ERTEkMCIGA1UEAxMbLlJPT1QuRENJTkVNQS5GUkFVTkhPRkVSLkRFMSUwIwYD
+VQQuExxpd2Q1V3JteVJ1dkxlZ2hBdWxYclNrWWtQTUU9MB4XDTExMDYyMTA5MjYw
+NVoXDTM2MDYxNDA5MjYwNVowgY8xHzAdBgNVBAoTFi5EQ0lORU1BLkZSQVVOSE9G
+RVIuREUxHzAdBgNVBAsTFi5EQ0lORU1BLkZSQVVOSE9GRVIuREUxJDAiBgNVBAMT
+Gy5ST09ULkRDSU5FTUEuRlJBVU5IT0ZFUi5ERTElMCMGA1UELhMcaXdkNVdybXlS
+dXZMZWdoQXVsWHJTa1lrUE1FPTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBALwfBAN6kUR+i+HWcs/eqYrDJufPNob9jOdkNCjRjOWuvMqYk+DO/jl63P93
+C7yEZYmvc/uJrQ8rm0Bbru6tuU6u7jJePr4VXTWh2lShZmJhEkjuSa7Fs5XDFtKm
+OjOLPDN/VKqhcFHSwIZbmJT9FeYt34ogIHMUuh+SBIu69vQ3dSLkBwkAxHi8O9Dc
+8TXIDfZRFwvqXKcsmOySxYSFNNAr/V7mhn8lJNjNq4ROL/Pipy0ucn4uyBxmDDdS
+DWWqcH/zOKB6bjiEfHgAfX0cH7LTzH04ewSpLkRfOfQrFvksu8EGJMVwC2LaVJxw
+FMxxx/focAjmc6iMh4PPHKfdceUCAwEAAaOCAQIwgf8wEgYDVR0TAQH/BAgwBgEB
+/wIBCDALBgNVHQ8EBAMCAgQwHQYDVR0OBBYEFIsHeVq5skbry3oIQLpV60pGJDzB
+MIG8BgNVHSMEgbQwgbGAFIsHeVq5skbry3oIQLpV60pGJDzBoYGVpIGSMIGPMR8w
+HQYDVQQKExYuRENJTkVNQS5GUkFVTkhPRkVSLkRFMR8wHQYDVQQLExYuRENJTkVN
+QS5GUkFVTkhPRkVSLkRFMSQwIgYDVQQDExsuUk9PVC5EQ0lORU1BLkZSQVVOSE9G
+RVIuREUxJTAjBgNVBC4THGl3ZDVXcm15UnV2TGVnaEF1bFhyU2tZa1BNRT2CAQAw
+DQYJKoZIhvcNAQELBQADggEBAAitUV/a104dNZSeTAtZrsUHfIKGtBjD4sKl5U4P
+99ALFzmInaX8Yvu6G0/ENE/gMZlFLxLhD6htAUg7LVB5h/oilCIPRJZpDrRUEAA4
+xs+5kxtI93Y324TijnrsRpgQwNAulaxAfV1zleMT1YotqeA63VBoTjFPVwQeahvK
+iumNYfR6UhYLrH4GLcuUIud8xU4rO4vI6P6K5r8iapyTWfsE4I+bKsOr4QXd5JgM
+9DM1tQxJxEfiHbP6poRY4cLtKF6exX2M2WZXjtHsIcuRfEp6Mq2jvpnVM0Le1lO8
+8Yt6lfHl85qsk9XWo6mkDzr9BC7Kelv0nqwfOsZPRg1cyDU=</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+</DCinemaSecurityMessage>
diff --git a/test/decryption_test.cc b/test/decryption_test.cc
index 7f919898..e075a512 100644
--- a/test/decryption_test.cc
+++ b/test/decryption_test.cc
@@ -67,3 +67,12 @@ BOOST_AUTO_TEST_CASE (decryption_test)
 	BOOST_CHECK_EQUAL (plaintext_frame->size().height, encrypted_frame->size().height);
 	BOOST_CHECK_EQUAL (memcmp (plaintext_frame->data(), encrypted_frame->data(), plaintext_frame->stride() * plaintext_frame->size().height), 0);
 }
+
+/** Load in a KDM that didn't work at first */
+BOOST_AUTO_TEST_CASE (failing_kdm_test)
+{
+	libdcp::KDM kdm (
+		"test/data/target.pem.crt.de5d4eba-e683-41ca-bdda-aa4ad96af3f4.kdm.xml",
+		"test/data/private.key"
+		);
+}
diff --git a/test/ref/base64_test_decoded b/test/ref/base64_test_decoded
new file mode 100644
index 00000000..7744488f
--- /dev/null
+++ b/test/ref/base64_test_decoded
@@ -0,0 +1,2 @@
+zjq�f%�_��F�N���Iފ��ŕ�:#��j�ox�˷N7�?K
�$�|�B�T3��͎���bi��ѯ~o�lUK��{t������}��8�pje`����E��z��ڕ�AT&��d1|�
n��n�L,[zE1Q��/���,?$��4<��!�
�$�C[*&�¿9^��d�y���`,
+�S�8�u�,Z"w�o�y҃-ěQ7�4�L
�;<�S����Q�
J\Z(Q�Cs�*���\��p��BKo[
\ No newline at end of file
diff --git a/test/tests.cc b/test/tests.cc
index acf3b990..fa0b57ab 100644
--- a/test/tests.cc
+++ b/test/tests.cc
@@ -70,8 +70,9 @@ wav (libdcp::Channel)
 
 static string test_corpus = "../libdcp-test";
 
-#include "kdm_test.cc"
+#include "util_test.cc"
 #include "decryption_test.cc"
+#include "kdm_test.cc"
 #include "dcp_test.cc"
 #include "error_test.cc"
 #include "read_dcp_test.cc"
diff --git a/test/util_test.cc b/test/util_test.cc
new file mode 100644
index 00000000..fa873c75
--- /dev/null
+++ b/test/util_test.cc
@@ -0,0 +1,53 @@
+/*
+    Copyright (C) 2013 Carl Hetherington <cth@carlh.net>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#include <fstream>
+
+using std::ifstream;
+
+BOOST_AUTO_TEST_CASE (bsae64_decode_test)
+{
+	int const N = 256;
+	
+	ifstream f ("test/data/base64_test");
+	BOOST_CHECK (f.good ());
+	string s;
+	while (f.good ()) {
+		string l;
+		getline (f, l);
+		s += l;
+	}
+
+	ifstream g ("test/ref/base64_test_decoded", std::ios::binary);
+	BOOST_CHECK (g.good ());
+	unsigned char ref_decoded[N];
+	for (int i = 0; i < N; ++i) {
+		char c;
+		g.get (c);
+		ref_decoded[i] = static_cast<unsigned char> (c);
+	}
+
+	unsigned char decoded[N];
+	int const r = libdcp::base64_decode (s, decoded, N);
+	BOOST_CHECK_EQUAL (r, N);
+
+	for (int i = 0; i < N; ++i) {
+		BOOST_CHECK_EQUAL (decoded[i], ref_decoded[i]);
+	}
+}