Add completely untested code to generate crypto chain for encrypted DCPs.

author: Carl Hetherington <cth@carlh.net> 2013-01-09 22:43:13 +0000
committer: Carl Hetherington <cth@carlh.net> 2013-01-09 22:43:13 +0000
commit: 5265670cb158bee669e62a2953b41a624d324a36 (patch)
tree: 001c2873790269cd9440427c142df0b9ac64d581 /src
parent: cf3dafb76de0571fe1989a138827fde1c8b6fbd8 (diff)
3 files changed, 136 insertions, 0 deletions
diff --git a/src/crypt_chain.cc b/src/crypt_chain.cc
new file mode 100644
index 00000000..853d8c50
--- /dev/null
+++ b/src/crypt_chain.cc
@@ -0,0 +1,128 @@
+#include <fstream>
+#include <sstream>
+#include <boost/filesystem.hpp>
+#include <boost/algorithm/string.hpp>
+#include "crypt_chain.h"
+
+using std::string;
+using std::ofstream;
+using std::ifstream;
+using std::stringstream;
+
+void
+libdcp::make_crypt_chain (string directory)
+{
+	boost::filesystem::current_path (directory);
+	system ("openssl genrsa -out ca.key 2048");
+
+	{
+		ofstream f ("ca.cnf");
+		f << "[ req ]\n"
+		  << "distinguished_name = req_distinguished_name\n"
+		  << "x509_extensions	= v3_ca\n"
+		  << "[ v3_ca ]\n"
+		  << "basicConstraints = critical,CA:true,pathlen:3\n"
+		  << "keyUsage = keyCertSign,cRLSign\n"
+		  << "subjectKeyIdentifier = hash\n"
+		  << "authorityKeyIdentifier = keyid:always,issuer:always\n"
+		  << "[ req_distinguished_name ]\n"
+		  << "O = Unique organization name\n"
+		  << "OU = Organization unit\n"
+		  << "CN = Entity and dnQualifier\n";
+	}
+
+	system ("openssl rsa -outform PEM -pubout -in ca.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > ca_dnq");
+
+	string ca_dnq;
+
+	{
+		ifstream f ("ca_dnq");
+		getline (f, ca_dnq);
+		boost::replace_all (ca_dnq, "/", "\\/");
+	}
+	
+	string const ca_subject = "/O=example.org/OU=example.org/CN=.smpte-430-2.ROOT.NOT_FOR_PRODUCTION/dnQualifier=" + ca_dnq;
+
+	{
+		stringstream c;
+		c << "openssl req -new -x509 -sha256 -config ca.cnf -days 3650 -set_serial 5 -subj " << ca_subject << " -key ca.key -outform PEM -out ca.self-signed.pem";
+		system (c.str().c_str());
+	}
+
+	system ("openssl genrsa -out intermediate.key 2048");
+
+	{
+		ofstream f ("intermediate.cnf");
+		f << "[ default ]\n"
+		  << "distinguished_name = req_distinguished_name\n"
+		  << "x509_extensions = v3_ca\n"
+		  << "[ v3_ca ]\n"
+		  << "basicConstraints = critical,CA:true,pathlen:2\n"
+		  << "keyUsage = keyCertSign,cRLSign\n"
+		  << "subjectKeyIdentifier = hash\n"
+		  << "authorityKeyIdentifier = keyid:always,issuer:always\n"
+		  << "[ req_distinguished_name ]\n"
+		  << "O = Unique organization name\n"
+		  << "OU = Organization unit\n"
+		  << "CN = Entity and dnQualifier\n";
+	}
+
+	system ("openssl rsa -outform PEM -pubout -in intermediate.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > inter_dnq");
+	
+	string inter_dnq;
+
+	{
+		ifstream f ("inter_dnq");
+		getline (f, inter_dnq);
+		boost::replace_all (inter_dnq, "/", "\\/");
+	}
+		
+	string const inter_subject = "/O=example.org/OU=example.org/CN=.smpte-430-2.INTERMEDIATE.NOT_FOR_PRODUCTION/dnQualifier=" + inter_dnq;
+
+	{
+		stringstream s;
+		s << "openssl req -new -config intermediate.cnf -days 3649 -subj " << inter_subject << " -key intermediate.key -out intermediate.csr";
+		system (s.str().c_str());
+	}
+
+	
+	system ("openssl x509 -req -sha256 -days 3649 -CA ca.self-signed.pem -CAkey ca.key -set_serial 6 -in intermediate.csr -extfile intermediate.cnf -extensions v3_ca -out intermediate.signed.pem");
+
+	system ("openssl genrsa -out leaf.key 2048");
+
+	{
+		ofstream f ("leaf.cnf");
+		f << "[ default ]\n"
+		  << "distinguished_name = req_distinguished_name\n"
+		  << "x509_extensions	= v3_ca\n"
+		  << "[ v3_ca ]\n"
+		  << "basicConstraints = critical,CA:false\n"
+		  << "keyUsage = digitalSignature,keyEncipherment\n"
+		  << "subjectKeyIdentifier = hash\n"
+		  << "authorityKeyIdentifier = keyid,issuer:always\n"
+		  << "[ req_distinguished_name ]\n"
+		  << "O = Unique organization name\n"
+		  << "OU = Organization unit\n"
+		  << "CN = Entity and dnQualifier\n";
+	}
+
+	system ("openssl rsa -outform PEM -pubout -in leaf.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > leaf_dnq");
+	
+	string leaf_dnq;
+
+	{
+		ifstream f ("leaf_dnq");
+		getline (f, leaf_dnq);
+		boost::replace_all (leaf_dnq, "/", "\\/");
+	}
+
+	string const leaf_subject = "/O=example.org/OU=example.org/CN=CS.smpte-430-2.LEAF.NOT_FOR_PRODUCTION/dnQualifier=" + leaf_dnq;
+
+	{
+		stringstream s;
+		s << "openssl req -new -config leaf.cnf -days 3648 -subj " << leaf_subject << " -key leaf.key -outform PEM -out leaf.csr";
+		system (s.str().c_str());
+	}
+
+	system ("openssl x509 -req -sha256 -days 3648 -CA intermediate.signed.pem -CAkey intermediate.key -set_serial 7 -in leaf.csr -extfile leaf.cnf -extensions v3_ca -out leaf.signed.pem");
+}
diff --git a/src/crypt_chain.h b/src/crypt_chain.h
new file mode 100644
index 00000000..e8d739d4
--- /dev/null
+++ b/src/crypt_chain.h
@@ -0,0 +1,6 @@
+
+namespace libdcp {
+	
+void make_crypt_chain (std::string);
+
+}
diff --git a/src/wscript b/src/wscript
index f4393243..41ebf7a7 100644
--- a/src/wscript
+++ b/src/wscript
@@ -14,6 +14,7 @@ def build(bld):
                  asset_map.cc
                  certificates.cc
                  cpl_file.cc
+                 crypt_chain.cc
                  dcp.cc        
                  dcp_time.cc
                  lut.cc
@@ -37,6 +38,7 @@ def build(bld):
     headers = """
               asset.h
               certificates.h
+              crypt_chain.h
               dcp.h
               dcp_time.h
               exceptions.h
author	Carl Hetherington <cth@carlh.net>	2013-01-09 22:43:13 +0000
committer	Carl Hetherington <cth@carlh.net>	2013-01-09 22:43:13 +0000
commit	5265670cb158bee669e62a2953b41a624d324a36 (patch)
tree	001c2873790269cd9440427c142df0b9ac64d581 /src
parent	cf3dafb76de0571fe1989a138827fde1c8b6fbd8 (diff)