Can decrypt a KDM.

3 files changed, 249 insertions, 2 deletions

diff --git a/src/kdm.cc b/src/kdm.cc
new file mode 100644
index 00000000..14a351e1
--- /dev/null
+++ b/src/kdm.cc
@@ -0,0 +1,154 @@
+/*
+    Copyright (C) 2013 Carl Hetherington <cth@carlh.net>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#include <iomanip>
+#include <openssl/rsa.h>
+#include <openssl/pem.h>
+#include <libcxml/cxml.h>
+#include "KM_util.h"
+#include "kdm.h"
+#include "exceptions.h"
+
+using std::list;
+using std::string;
+using std::stringstream;
+using std::hex;
+using std::setw;
+using std::setfill;
+using boost::shared_ptr;
+using namespace libdcp;
+
+KDM::KDM (boost::filesystem::path kdm, boost::filesystem::path private_key)
+{
+	/* Read the private key */
+	   
+	FILE* private_key_file = fopen (private_key.string().c_str(), "r");
+	if (!private_key_file) {
+		throw FileError ("could not find RSA private key file", private_key.string ());
+	}
+	
+	RSA* rsa = PEM_read_RSAPrivateKey (private_key_file, 0, 0, 0);
+	fclose (private_key_file);	
+	if (!rsa) {
+		throw FileError ("could not read RSA private key file", private_key.string ());
+	}
+
+	
+	/* Read the KDM, decrypting it */
+
+	cxml::File f (kdm.string (), "DCinemaSecurityMessage");
+
+	shared_ptr<cxml::Node> authenticated_private = f.node_child ("AuthenticatedPrivate");
+	list<shared_ptr<cxml::Node> > encrypted_keys = authenticated_private->node_children ("EncryptedKey");
+
+	for (list<shared_ptr<cxml::Node> >::iterator i = encrypted_keys.begin(); i != encrypted_keys.end(); ++i) {
+
+		/* Get the base-64-encoded cipher value from the KDM */
+		shared_ptr<cxml::Node> cipher_data = (*i)->node_child ("CipherData");
+		shared_ptr<cxml::Node> cipher_value_base64 = cipher_data->node_child ("CipherValue");
+
+		/* Decode it from base-64 */
+		unsigned char cipher_value[256];
+		ui32_t cipher_value_len;
+		if (Kumu::base64decode (cipher_value_base64->content().c_str(), cipher_value, sizeof (cipher_value), &cipher_value_len)) {
+			RSA_free (rsa);
+			throw MiscError ("could not base-64-decode CipherValue from KDM");
+		}
+
+		/* Decrypt it */
+		unsigned char decrypted[256];
+		unsigned int const decrypted_len = RSA_private_decrypt (cipher_value_len, cipher_value, decrypted, rsa, RSA_PKCS1_OAEP_PADDING);
+		assert (decrypted_len < sizeof (decrypted));
+
+		_ciphers.push_back (KDMCipher (decrypted, decrypted_len));
+	}
+
+	RSA_free (rsa);
+}
+
+
+KDMCipher::KDMCipher (unsigned char const * raw, int len)
+{
+	switch (len) {
+	case 134:
+		/* interop */
+		_structure_id = get (&raw, 16);
+		_signer_thumbprint = get (&raw, 20);
+		_cpl_id = get_uuid (&raw, 16);
+		_key_id = get_uuid (&raw, 16);
+		_not_valid_before = get (&raw, 25);
+		_not_valid_after = get (&raw, 25);
+		_key_data = get_hex (&raw, 16);
+		break;
+	case 138:
+		/* SMPTE */
+		_structure_id = get (&raw, 16);
+		_signer_thumbprint = get (&raw, 20);
+		_cpl_id = get_uuid (&raw, 16);
+		_key_type = get (&raw, 4);
+		_key_id = get_uuid (&raw, 16);
+		_not_valid_before = get (&raw, 25);
+		_not_valid_after = get (&raw, 25);
+		_key_data = get_hex (&raw, 16);
+		break;
+	default:
+		assert (false);
+	}
+}
+
+string
+KDMCipher::get (unsigned char const ** p, int N) const
+{
+	string g;
+	for (int i = 0; i < N; ++i) {
+		g += **p;
+		(*p)++;
+	}
+
+	return g;
+}
+
+string
+KDMCipher::get_uuid (unsigned char const ** p, int N) const
+{
+	stringstream g;
+	
+	for (int i = 0; i < N; ++i) {
+		g << setw(2) << setfill('0') << hex << static_cast<int> (**p);
+		(*p)++;
+		if (i == 3 || i == 5 || i == 7 || i == 9) {
+			g << '-';
+		}
+	}
+
+	return g.str ();
+}
+
+string
+KDMCipher::get_hex (unsigned char const ** p, int N) const
+{
+	stringstream g;
+	
+	for (int i = 0; i < N; ++i) {
+		g << setw(2) << setfill('0') << hex << static_cast<int> (**p);
+		(*p)++;
+	}
+
+	return g.str ();
+}
diff --git a/src/kdm.h b/src/kdm.h
new file mode 100644
index 00000000..0b450987
--- /dev/null
+++ b/src/kdm.h
@@ -0,0 +1,92 @@
+/*
+    Copyright (C) 2013 Carl Hetherington <cth@carlh.net>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+*/
+
+#include <boost/filesystem.hpp>
+
+namespace libdcp {
+
+class KDMCipher
+{
+public:
+	KDMCipher (unsigned char const *, int);
+
+	std::string structure_id () const {
+		return _structure_id;
+	}
+	
+	std::string signer_thumbprint () const {
+		return _signer_thumbprint;
+	}
+	
+	std::string cpl_id () const {
+		return _cpl_id;
+	}
+	
+	std::string key_type () const {
+		return _key_type;
+	}
+	
+	std::string key_id () const {
+		return _key_id;
+	}
+
+	std::string not_valid_before () const {
+		return _not_valid_before;
+	}
+	
+	std::string not_valid_after () const {
+		return _not_valid_after;
+	}
+	
+	std::string key_data () const {
+		return _key_data;
+	}
+	
+private:
+	std::string get (unsigned char const **, int) const;
+	std::string get_uuid (unsigned char const **, int) const;
+	std::string get_hex (unsigned char const **, int) const;
+	
+	std::string _structure_id;
+	std::string _signer_thumbprint;
+	std::string _cpl_id;
+	std::string _key_type;
+	std::string _key_id;
+	std::string _not_valid_before;
+	std::string _not_valid_after;
+	std::string _key_data;
+};
+
+class KDM
+{
+public:
+	KDM (boost::filesystem::path, boost::filesystem::path);
+
+	std::list<KDMCipher> ciphers () const {
+		return _ciphers;
+	}
+
+private:
+	std::list<KDMCipher> _ciphers;
+};
+
+
+}
+
+	
diff --git a/src/wscript b/src/wscript
index 93d6d5c1..acbfdfc0 100644
--- a/src/wscript
+++ b/src/wscript
@@ -10,19 +10,20 @@ def build(bld):
     obj.uselib = 'BOOST_FILESYSTEM BOOST_SIGNALS2 BOOST_DATETIME OPENSSL SIGC++ LIBXML++ OPENJPEG CXML XMLSEC1'
     obj.use = 'libkumu-libdcp libasdcp-libdcp'
     obj.source = """
+                 argb_frame.cc
                  asset.cc
-                 dcp.cc        
                  certificates.cc
                  crypt_chain.cc
                  cpl.cc
+                 dcp.cc        
                  dcp_time.cc
                  gamma_lut.cc
+                 kdm.cc
                  metadata.cc
                  mxf_asset.cc
                  picture_asset.cc
                  picture_frame.cc
                  reel.cc
-                 argb_frame.cc
                  sound_asset.cc
                  sound_frame.cc
                  subtitle_asset.cc