Support trusted device lists in KDMs.

7 files changed, 35 insertions, 12 deletions

diff --git a/src/certificate.cc b/src/certificate.cc
index 3eb6e76b..79b71716 100644
--- a/src/certificate.cc
+++ b/src/certificate.cc
@@ -66,7 +66,9 @@ Certificate::Certificate (Certificate const & other)
 	: _certificate (0)
 	, _public_key (0)
 {
-	read_string (other.certificate (true));
+	if (other._certificate) {
+		read_string (other.certificate (true));
+	}
 }
 
 /** Read a certificate from a string.
diff --git a/src/decrypted_kdm.cc b/src/decrypted_kdm.cc
index 3e48e23f..99cbca10 100644
--- a/src/decrypted_kdm.cc
+++ b/src/decrypted_kdm.cc
@@ -36,6 +36,7 @@
 #include <boost/foreach.hpp>
 
 using std::list;
+using std::vector;
 using std::string;
 using std::stringstream;
 using std::setw;
@@ -249,7 +250,7 @@ DecryptedKDM::add_key (DecryptedKDMKey key)
 }
 
 EncryptedKDM
-DecryptedKDM::encrypt (shared_ptr<const CertificateChain> signer, Certificate recipient, Formulation formulation) const
+DecryptedKDM::encrypt (shared_ptr<const CertificateChain> signer, Certificate recipient, vector<Certificate> trusted_devices, Formulation formulation) const
 {
 	list<pair<string, string> > key_ids;
 	list<string> keys;
@@ -305,6 +306,7 @@ DecryptedKDM::encrypt (shared_ptr<const CertificateChain> signer, Certificate re
 	return EncryptedKDM (
 		signer,
 		recipient,
+		trusted_devices,
 		device_list_description,
 		_keys.front().cpl_id (),
 		_content_title_text,
diff --git a/src/decrypted_kdm.h b/src/decrypted_kdm.h
index 2cb934bb..f7d21dbe 100644
--- a/src/decrypted_kdm.h
+++ b/src/decrypted_kdm.h
@@ -90,10 +90,17 @@ public:
 	/** Encrypt this KDM's keys and sign the whole KDM.
 	 *  @param signer Chain to sign with.
 	 *  @param recipient Certificate of the projector/server which should receive this KDM's keys.
+	 *  @param trusted_devices Extra trusted devices which should be written to the KDM (recipient will be written
+	 *  as a trusted device automatically and does not need to be included in this list).
 	 *  @param formulation Formulation to use for the encrypted KDM.
 	 *  @return Encrypted KDM.
 	 */
-	EncryptedKDM encrypt (boost::shared_ptr<const CertificateChain> signer, Certificate recipient, Formulation formulation) const;
+	EncryptedKDM encrypt (
+		boost::shared_ptr<const CertificateChain> signer,
+		Certificate recipient,
+		std::vector<Certificate> trusted_devices,
+		Formulation formulation
+		) const;
 
 	void add_key (std::string type, std::string key_id, Key key, std::string cpl_id);
 	void add_key (DecryptedKDMKey key);
diff --git a/src/encrypted_kdm.cc b/src/encrypted_kdm.cc
index 8ecee9f0..13a9eb05 100644
--- a/src/encrypted_kdm.cc
+++ b/src/encrypted_kdm.cc
@@ -25,8 +25,10 @@
 #include <libxml++/nodes/element.h>
 #include <libxml/parser.h>
 #include <boost/date_time/posix_time/posix_time.hpp>
+#include <boost/foreach.hpp>
 
 using std::list;
+using std::vector;
 using std::string;
 using std::map;
 using std::pair;
@@ -275,9 +277,10 @@ public:
 	AuthorizedDeviceInfo (shared_ptr<const cxml::Node> node)
 		: device_list_identifier (node->string_child ("DeviceListIdentifier").substr (9))
 		, device_list_description (node->optional_string_child ("DeviceListDescription"))
-		, certificate_thumbprint (node->node_child("DeviceList")->string_child ("CertificateThumbprint"))
 	{
-
+		BOOST_FOREACH (cxml::ConstNodePtr i, node->node_child("DeviceList")->node_children("CertificateThumbprint")) {
+			certificate_thumbprints.push_back (i->content ());
+		}
 	}
 
 	void as_xml (xmlpp::Element* node) const
@@ -287,13 +290,15 @@ public:
 			node->add_child ("DeviceListDescription")->add_child_text (device_list_description.get());
 		}
 		xmlpp::Element* device_list = node->add_child ("DeviceList");
-		device_list->add_child("CertificateThumbprint")->add_child_text (certificate_thumbprint);
+		BOOST_FOREACH (string i, certificate_thumbprints) {
+			device_list->add_child("CertificateThumbprint")->add_child_text (i);
+		}
 	}
 
 	/** DeviceListIdentifier without the urn:uuid: prefix */
 	string device_list_identifier;
 	boost::optional<string> device_list_description;
-	string certificate_thumbprint;
+	std::list<string> certificate_thumbprints;
 };
 
 class X509IssuerSerial
@@ -501,6 +506,7 @@ EncryptedKDM::EncryptedKDM (string s)
 EncryptedKDM::EncryptedKDM (
 	shared_ptr<const CertificateChain> signer,
 	Certificate recipient,
+	vector<Certificate> trusted_devices,
 	string device_list_description,
 	string cpl_id,
 	string content_title_text,
@@ -539,10 +545,13 @@ EncryptedKDM::EncryptedKDM (
 
 	if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
 		/* Use the "assume trust" thumbprint */
-		kre.authorized_device_info.certificate_thumbprint = "2jmj7l5rSw0yVb/vlWAYkK/YBwk=";
+		kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
 	} else if (formulation == DCI_SPECIFIC) {
-		/* Use the recipient thumbprint */
-		kre.authorized_device_info.certificate_thumbprint = recipient.thumbprint ();
+		/* Use the recipient and other trusted device thumbprints */
+		kre.authorized_device_info.certificate_thumbprints.push_back (recipient.thumbprint ());
+		BOOST_FOREACH (Certificate const & i, trusted_devices) {
+			kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
+		}
 	}
 
 	for (list<pair<string, string> >::const_iterator i = key_ids.begin(); i != key_ids.end(); ++i) {
diff --git a/src/encrypted_kdm.h b/src/encrypted_kdm.h
index a22b3b40..9e5b09d4 100644
--- a/src/encrypted_kdm.h
+++ b/src/encrypted_kdm.h
@@ -83,6 +83,7 @@ private:
 	EncryptedKDM (
 		boost::shared_ptr<const CertificateChain> signer,
 		Certificate recipient,
+		std::vector<Certificate> trusted_devices,
 		std::string device_list_description,
 		std::string cpl_id,
 		std::string cpl_content_title_text,
diff --git a/test/encryption_test.cc b/test/encryption_test.cc
index bab20958..7c8256fa 100644
--- a/test/encryption_test.cc
+++ b/test/encryption_test.cc
@@ -39,6 +39,7 @@
 #include <boost/test/unit_test.hpp>
 #include <boost/shared_ptr.hpp>
 
+using std::vector;
 using boost::shared_ptr;
 
 /** Load a certificate chain from build/test/data/ *.pem and then build
@@ -132,7 +133,7 @@ BOOST_AUTO_TEST_CASE (encryption_test)
 		"2012-07-17T04:45:18+00:00"
 		);
 
-	kdm.encrypt (signer, signer->leaf(), dcp::MODIFIED_TRANSITIONAL_1).as_xml ("build/test/encryption_test.kdm.xml");
+	kdm.encrypt (signer, signer->leaf(), vector<dcp::Certificate>(), dcp::MODIFIED_TRANSITIONAL_1).as_xml ("build/test/encryption_test.kdm.xml");
 
 	int r = system (
 		"xmllint --path schema --nonet --noout --schema schema/SMPTE-430-1-2006-Amd-1-2009-KDM.xsd build/test/encryption_test.kdm.xml "
diff --git a/test/round_trip_test.cc b/test/round_trip_test.cc
index a1f44a3e..45b2cbad 100644
--- a/test/round_trip_test.cc
+++ b/test/round_trip_test.cc
@@ -40,6 +40,7 @@
 #include <iostream>
 
 using std::list;
+using std::vector;
 using boost::shared_ptr;
 using boost::scoped_array;
 
@@ -81,7 +82,7 @@ BOOST_AUTO_TEST_CASE (round_trip_test)
 
 	boost::filesystem::path const kdm_file = work_dir / "kdm.xml";
 
-	kdm_A.encrypt(signer, signer->leaf(), dcp::MODIFIED_TRANSITIONAL_1).as_xml (kdm_file);
+	kdm_A.encrypt(signer, signer->leaf(), vector<dcp::Certificate>(), dcp::MODIFIED_TRANSITIONAL_1).as_xml (kdm_file);
 
 	/* Reload the KDM, using our private key to decrypt it */
 	dcp::DecryptedKDM kdm_B (dcp::EncryptedKDM (dcp::file_to_string (kdm_file)), signer->key().get ());