diff options
| author | Carl Hetherington <cth@carlh.net> | 2013-09-19 13:49:37 +0100 |
|---|---|---|
| committer | Carl Hetherington <cth@carlh.net> | 2013-09-19 13:49:37 +0100 |
| commit | 452144160eb864984121d3fa883a12d40fbf7e47 (patch) | |
| tree | f5da78c803eb8f668d2409de856ddc86be81d492 /src | |
| parent | afeea0415dd56a3106a4c71df2e4a6ccc2d72e74 (diff) | |
Rename Encryption -> Signer; move some methods into it.
Diffstat (limited to 'src')
| -rw-r--r-- | src/cpl.cc | 23 | ||||
| -rw-r--r-- | src/cpl.h | 12 | ||||
| -rw-r--r-- | src/dcp.cc | 16 | ||||
| -rw-r--r-- | src/dcp.h | 6 | ||||
| -rw-r--r-- | src/signer.cc | 135 | ||||
| -rw-r--r-- | src/signer.h (renamed from src/encryption.h) | 23 | ||||
| -rw-r--r-- | src/util.cc | 105 | ||||
| -rw-r--r-- | src/wscript | 1 |
8 files changed, 180 insertions, 141 deletions
@@ -28,7 +28,7 @@ #include "parse/asset_map.h" #include "reel.h" #include "metadata.h" -#include "encryption.h" +#include "signer.h" #include "exceptions.h" #include "compose.hpp" @@ -206,7 +206,7 @@ CPL::add_reel (shared_ptr<Reel> reel) } void -CPL::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<Encryption> crypt) const +CPL::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<const Signer> signer) const { boost::filesystem::path p; p /= _directory; @@ -222,7 +222,7 @@ CPL::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<Encryptio root = doc.create_root_node ("CompositionPlaylist", "http://www.smpte-ra.org/schemas/429-7/2006/CPL"); } - if (crypt) { + if (signer) { root->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "dsig"); } @@ -246,8 +246,8 @@ CPL::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<Encryptio (*i)->write_to_cpl (reel_list, interop); } - if (crypt) { - sign (root, crypt->certificates, crypt->signer_key, interop); + if (signer) { + signer->sign (root, interop); } doc.write_to_file_formatted (p.string (), "UTF-8"); @@ -346,8 +346,7 @@ CPL::equals (CPL const & other, EqualityOptions opt, boost::function<void (NoteT shared_ptr<xmlpp::Document> CPL::make_kdm ( - CertificateChain const & certificates, - boost::filesystem::path signer_key, + shared_ptr<const Signer> signer, shared_ptr<const Certificate> recipient_cert, boost::posix_time::ptime from, boost::posix_time::ptime until, @@ -376,9 +375,9 @@ CPL::make_kdm ( authenticated_public->add_child("IssueDate")->add_child_text (xml_metadata.issue_date); { - xmlpp::Element* signer = authenticated_public->add_child("Signer"); - signer->add_child("X509IssuerName", "ds")->add_child_text (certificates.leaf()->issuer()); - signer->add_child("X509SerialNumber", "ds")->add_child_text (certificates.leaf()->serial()); + xmlpp::Element* xml_signer = authenticated_public->add_child("Signer"); + xml_signer->add_child("X509IssuerName", "ds")->add_child_text (signer->certificates().leaf()->issuer()); + xml_signer->add_child("X509SerialNumber", "ds")->add_child_text (signer->certificates().leaf()->serial()); } { @@ -400,7 +399,7 @@ CPL::make_kdm ( kdm_required_extensions->add_child("CompositionPlaylistId")->add_child_text("urn:uuid:" + _id); kdm_required_extensions->add_child("ContentTitleText")->add_child_text(_name); - kdm_required_extensions->add_child("ContentAuthenticator")->add_child_text(certificates.leaf()->thumbprint()); + kdm_required_extensions->add_child("ContentAuthenticator")->add_child_text(signer->certificates().leaf()->thumbprint()); kdm_required_extensions->add_child("ContentKeysNotValidBefore")->add_child_text(ptime_to_string (from)); kdm_required_extensions->add_child("ContentKeysNotValidAfter")->add_child_text(ptime_to_string (until)); @@ -494,7 +493,7 @@ CPL::make_kdm ( } } - add_signature_value (signature, certificates, signer_key, "ds"); + signer->add_signature_value (signature, "ds"); } return doc; @@ -41,7 +41,7 @@ class Asset; class Reel; class XMLMetadata; class MXFMetadata; -class Encryption; +class Signer; class KDM; /** @brief A CPL within a DCP */ @@ -91,22 +91,20 @@ public: bool equals (CPL const & other, EqualityOptions options, boost::function<void (NoteType, std::string)> note) const; - void write_xml (bool, XMLMetadata const &, boost::shared_ptr<Encryption>) const; + void write_xml (bool, XMLMetadata const &, boost::shared_ptr<const Signer>) const; void write_to_assetmap (xmlpp::Node *) const; void write_to_pkl (xmlpp::Node *) const; /** Make a KDM for this CPL. - * @param certificates - * @param signer_key Filename of private key to sign the KDM with. + * @param signer Details of the certificates and private key to sign the KDM with. * @param recipient_cert The certificate of the projector that this KDM is targeted at. This will contain the - * projector's public key (P) which is used to encrypt the content keys. + * projector's public key which is used to encrypt the content keys. * @param from Time that the KDM should be valid from. * @param until Time that the KDM should be valid until. * @param interop true to generate an interop KDM, false for SMPTE. */ boost::shared_ptr<xmlpp::Document> make_kdm ( - CertificateChain const & certificates, - boost::filesystem::path signer_key, + boost::shared_ptr<const Signer> signer, boost::shared_ptr<const Certificate> recipient_cert, boost::posix_time::ptime from, boost::posix_time::ptime until, @@ -45,7 +45,7 @@ #include "parse/asset_map.h" #include "reel.h" #include "cpl.h" -#include "encryption.h" +#include "signer.h" #include "kdm.h" using std::string; @@ -67,21 +67,21 @@ DCP::DCP (string directory) } void -DCP::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<Encryption> crypt) const +DCP::write_xml (bool interop, XMLMetadata const & metadata, shared_ptr<Signer> signer) const { for (list<shared_ptr<CPL> >::const_iterator i = _cpls.begin(); i != _cpls.end(); ++i) { - (*i)->write_xml (interop, metadata, crypt); + (*i)->write_xml (interop, metadata, signer); } string pkl_uuid = make_uuid (); - string pkl_path = write_pkl (pkl_uuid, interop, metadata, crypt); + string pkl_path = write_pkl (pkl_uuid, interop, metadata, signer); write_volindex (); write_assetmap (pkl_uuid, boost::filesystem::file_size (pkl_path), interop, metadata); } std::string -DCP::write_pkl (string pkl_uuid, bool interop, XMLMetadata const & metadata, shared_ptr<Encryption> crypt) const +DCP::write_pkl (string pkl_uuid, bool interop, XMLMetadata const & metadata, shared_ptr<Signer> signer) const { assert (!_cpls.empty ()); @@ -99,7 +99,7 @@ DCP::write_pkl (string pkl_uuid, bool interop, XMLMetadata const & metadata, sha pkl = doc.create_root_node("PackingList", "http://www.smpte-ra.org/schemas/429-8/2007/PKL"); } - if (crypt) { + if (signer) { pkl->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "dsig"); } @@ -120,8 +120,8 @@ DCP::write_pkl (string pkl_uuid, bool interop, XMLMetadata const & metadata, sha (*i)->write_to_pkl (asset_list); } - if (crypt) { - sign (pkl, crypt->certificates, crypt->signer_key, interop); + if (signer) { + signer->sign (pkl, interop); } doc.write_to_file_formatted (p.string (), "UTF-8"); @@ -47,7 +47,7 @@ class SubtitleAsset; class Reel; class CPL; class XMLMetadata; -class Encryption; +class Signer; class KDM; namespace parse { @@ -83,7 +83,7 @@ public: /** Write the required XML files to the directory that was * passed into the constructor. */ - void write_xml (bool interop, XMLMetadata const &, boost::shared_ptr<Encryption> crypt = boost::shared_ptr<Encryption> ()) const; + void write_xml (bool interop, XMLMetadata const &, boost::shared_ptr<Signer> signer = boost::shared_ptr<Signer> ()) const; /** Compare this DCP with another, according to various options. * @param other DCP to compare this one to. @@ -126,7 +126,7 @@ private: /** Write the PKL file. * @param pkl_uuid UUID to use. */ - std::string write_pkl (std::string pkl_uuid, bool, XMLMetadata const &, boost::shared_ptr<Encryption>) const; + std::string write_pkl (std::string pkl_uuid, bool, XMLMetadata const &, boost::shared_ptr<Signer>) const; /** Write the VOLINDEX file */ void write_volindex () const; diff --git a/src/signer.cc b/src/signer.cc new file mode 100644 index 00000000..999ee594 --- /dev/null +++ b/src/signer.cc @@ -0,0 +1,135 @@ +/* + Copyright (C) 2013 Carl Hetherington <cth@carlh.net> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +*/ + +#include <libxml++/libxml++.h> +#include <xmlsec/xmldsig.h> +#include <xmlsec/dl.h> +#include <xmlsec/app.h> +#include "signer.h" +#include "exceptions.h" + +using std::string; +using std::list; +using boost::shared_ptr; +using namespace libdcp; + +/** @param signer_key Filename of private key to sign with */ +void +Signer::sign (xmlpp::Element* parent, bool interop) const +{ + add_signer (parent, "dsig"); + + xmlpp::Element* signature = parent->add_child("Signature", "dsig"); + + { + xmlpp::Element* signed_info = signature->add_child ("SignedInfo", "dsig"); + signed_info->add_child("CanonicalizationMethod", "dsig")->set_attribute ("Algorithm", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"); + + if (interop) { + signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#rsa-sha1"); + } else { + signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); + } + + { + xmlpp::Element* reference = signed_info->add_child("Reference", "dsig"); + reference->set_attribute ("URI", ""); + { + xmlpp::Element* transforms = reference->add_child("Transforms", "dsig"); + transforms->add_child("Transform", "dsig")->set_attribute ( + "Algorithm", "http://www.w3.org/2000/09/xmldsig#enveloped-signature" + ); + } + reference->add_child("DigestMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#sha1"); + /* This will be filled in by the signing later */ + reference->add_child("DigestValue", "dsig"); + } + } + + add_signature_value (signature, "dsig"); +} + + +/** Sign an XML node. This function takes a certificate chain (to prove that the sender is bona fide) and + * a private key with which to sign the node. + * + * @param parent Node to sign. + * @param certificates Certificate chain for the signer. + * @param signer_key Filename of the private key of the signer. + * @param ns Namespace to use for the signature XML nodes. + */ +void +Signer::add_signature_value (xmlpp::Element* parent, string ns) const +{ + parent->add_child("SignatureValue", ns); + + /* Add the certificate chain to a KeyInfo child node of parent */ + xmlpp::Element* key_info = parent->add_child("KeyInfo", ns); + list<shared_ptr<Certificate> > c = _certificates.leaf_to_root (); + for (list<shared_ptr<Certificate> >::iterator i = c.begin(); i != c.end(); ++i) { + xmlpp::Element* data = key_info->add_child("X509Data", ns); + + { + xmlpp::Element* serial = data->add_child("X509IssuerSerial", ns); + serial->add_child("X509IssuerName", ns)->add_child_text((*i)->issuer ()); + serial->add_child("X509SerialNumber", ns)->add_child_text((*i)->serial ()); + } + + data->add_child("X509Certificate", ns)->add_child_text((*i)->certificate()); + } + + xmlSecDSigCtxPtr signature_context = xmlSecDSigCtxCreate (0); + if (signature_context == 0) { + throw MiscError ("could not create signature context"); + } + + signature_context->signKey = xmlSecCryptoAppKeyLoad (_key.c_str(), xmlSecKeyDataFormatPem, 0, 0, 0); + if (signature_context->signKey == 0) { + throw FileError ("could not load private key file", _key); + } + + /* XXX: set key name to the file name: is this right? */ + if (xmlSecKeySetName (signature_context->signKey, reinterpret_cast<const xmlChar *> (_key.c_str())) < 0) { + throw MiscError ("could not set key name"); + } + + if (xmlSecDSigCtxSign (signature_context, parent->cobj ()) < 0) { + throw MiscError ("could not sign"); + } + + xmlSecDSigCtxDestroy (signature_context); +} + +void +Signer::add_signer (xmlpp::Element* parent, string ns) const +{ + xmlpp::Element* signer = parent->add_child("Signer"); + + { + xmlpp::Element* data = signer->add_child("X509Data", ns); + + { + xmlpp::Element* serial_element = data->add_child("X509IssuerSerial", ns); + serial_element->add_child("X509IssuerName", ns)->add_child_text (_certificates.leaf()->issuer()); + serial_element->add_child("X509SerialNumber", ns)->add_child_text (_certificates.leaf()->serial()); + } + + data->add_child("X509SubjectName", ns)->add_child_text (_certificates.leaf()->subject()); + } +} diff --git a/src/encryption.h b/src/signer.h index b6d79b19..a4d10b2a 100644 --- a/src/encryption.h +++ b/src/signer.h @@ -22,17 +22,28 @@ namespace libdcp { -class Encryption +class Signer { public: - Encryption (CertificateChain c, boost::filesystem::path k) - : certificates (c) - , signer_key (k) + Signer (CertificateChain c, boost::filesystem::path k) + : _certificates (c) + , _key (k) {} - CertificateChain certificates; + void sign (xmlpp::Element* parent, bool interop) const; + void add_signature_value (xmlpp::Element* parent, std::string ns) const; + + CertificateChain const & certificates () const { + return _certificates; + } + +private: + + void add_signer (xmlpp::Element* parent, std::string ns) const; + + CertificateChain _certificates; /** Filename of signer key */ - boost::filesystem::path signer_key; + boost::filesystem::path _key; }; } diff --git a/src/util.cc b/src/util.cc index f2728a38..4bcc61fb 100644 --- a/src/util.cc +++ b/src/util.cc @@ -255,111 +255,6 @@ libdcp::init () } } -/** Sign an XML node. This function takes a certificate chain (to prove that the sender is bona fide) and - * a private key with which to sign the node. - * - * @param parent Node to sign. - * @param certificates Certificate chain for the signer. - * @param signer_key Filename of the private key of the signer. - * @param ns Namespace to use for the signature XML nodes. - */ -void -libdcp::add_signature_value (xmlpp::Element* parent, CertificateChain const & certificates, boost::filesystem::path signer_key, string const & ns) -{ - parent->add_child("SignatureValue", ns); - - /* Add the certificate chain to a KeyInfo child node of parent */ - xmlpp::Element* key_info = parent->add_child("KeyInfo", ns); - list<shared_ptr<Certificate> > c = certificates.leaf_to_root (); - for (list<shared_ptr<Certificate> >::iterator i = c.begin(); i != c.end(); ++i) { - xmlpp::Element* data = key_info->add_child("X509Data", ns); - - { - xmlpp::Element* serial = data->add_child("X509IssuerSerial", ns); - serial->add_child("X509IssuerName", ns)->add_child_text((*i)->issuer ()); - serial->add_child("X509SerialNumber", ns)->add_child_text((*i)->serial ()); - } - - data->add_child("X509Certificate", ns)->add_child_text((*i)->certificate()); - } - - xmlSecDSigCtxPtr signature_context = xmlSecDSigCtxCreate (0); - if (signature_context == 0) { - throw MiscError ("could not create signature context"); - } - - signature_context->signKey = xmlSecCryptoAppKeyLoad (signer_key.c_str(), xmlSecKeyDataFormatPem, 0, 0, 0); - if (signature_context->signKey == 0) { - throw FileError ("could not load private key file", signer_key); - } - - /* XXX: set key name to the file name: is this right? */ - if (xmlSecKeySetName (signature_context->signKey, reinterpret_cast<const xmlChar *> (signer_key.c_str())) < 0) { - throw MiscError ("could not set key name"); - } - - if (xmlSecDSigCtxSign (signature_context, parent->cobj ()) < 0) { - throw MiscError ("could not sign"); - } - - xmlSecDSigCtxDestroy (signature_context); -} - - -void -libdcp::add_signer (xmlpp::Element* parent, CertificateChain const & certificates, string const & ns) -{ - xmlpp::Element* signer = parent->add_child("Signer"); - - { - xmlpp::Element* data = signer->add_child("X509Data", ns); - - { - xmlpp::Element* serial_element = data->add_child("X509IssuerSerial", ns); - serial_element->add_child("X509IssuerName", ns)->add_child_text (certificates.leaf()->issuer()); - serial_element->add_child("X509SerialNumber", ns)->add_child_text (certificates.leaf()->serial()); - } - - data->add_child("X509SubjectName", ns)->add_child_text (certificates.leaf()->subject()); - } -} - -/** @param signer_key Filename of private key to sign with */ -void -libdcp::sign (xmlpp::Element* parent, CertificateChain const & certificates, boost::filesystem::path signer_key, bool interop) -{ - add_signer (parent, certificates, "dsig"); - - xmlpp::Element* signature = parent->add_child("Signature", "dsig"); - - { - xmlpp::Element* signed_info = signature->add_child ("SignedInfo", "dsig"); - signed_info->add_child("CanonicalizationMethod", "dsig")->set_attribute ("Algorithm", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"); - - if (interop) { - signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#rsa-sha1"); - } else { - signed_info->add_child("SignatureMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); - } - - { - xmlpp::Element* reference = signed_info->add_child("Reference", "dsig"); - reference->set_attribute ("URI", ""); - { - xmlpp::Element* transforms = reference->add_child("Transforms", "dsig"); - transforms->add_child("Transform", "dsig")->set_attribute ( - "Algorithm", "http://www.w3.org/2000/09/xmldsig#enveloped-signature" - ); - } - reference->add_child("DigestMethod", "dsig")->set_attribute("Algorithm", "http://www.w3.org/2000/09/xmldsig#sha1"); - /* This will be filled in by the signing later */ - reference->add_child("DigestValue", "dsig"); - } - } - - add_signature_value (signature, certificates, signer_key, "dsig"); -} - bool libdcp::operator== (libdcp::Size const & a, libdcp::Size const & b) { return (a.width == b.width && a.height == b.height); diff --git a/src/wscript b/src/wscript index 98b0169b..7afeb537 100644 --- a/src/wscript +++ b/src/wscript @@ -29,6 +29,7 @@ def build(bld): rec709_linearised_gamma_lut.cc reel.cc rgb_xyz.cc + signer.cc sound_asset.cc sound_frame.cc srgb_linearised_gamma_lut.cc |