Tweaks to management of crypto information.

author: Carl Hetherington <cth@carlh.net> 2013-01-11 00:25:11 +0000
committer: Carl Hetherington <cth@carlh.net> 2013-01-11 00:25:11 +0000
commit: 67cf9c95d190b1f2a67d73c0a7f712e213b6e71a (patch)
tree: 5330aa403ea22459ed257ee577aaeec84053c0a4 /src
parent: 5265670cb158bee669e62a2953b41a624d324a36 (diff)
6 files changed, 87 insertions, 81 deletions
diff --git a/src/certificates.cc b/src/certificates.cc
index 6ed32dca..c1b15c51 100644
--- a/src/certificates.cc
+++ b/src/certificates.cc
@@ -42,6 +42,19 @@ Certificate::Certificate (X509* c)
 	
 }
 
+Certificate::Certificate (string const & filename)
+	: _certificate (0)
+{
+	FILE* f = fopen (filename.c_str(), "r");
+	if (!f) {
+		throw FileError ("could not open file", filename);
+	}
+	
+	if (!PEM_read_X509 (f, &_certificate, 0, 0)) {
+		throw MiscError ("could not read X509 certificate");
+	}
+}
+
 Certificate::~Certificate ()
 {
 	X509_free (_certificate);
@@ -147,32 +160,6 @@ Certificate::thumbprint () const
 	return Kumu::base64encode (digest, 20, digest_base64, 64);
 }
 
-/** @param filename Text file of PEM-format certificates,
- *  in the order:
- *
- *  1. self-signed root certificate
- *  2. intermediate certificate signed by root certificate
- *  ...
- *  n. leaf certificate signed by previous intermediate.
- */
-
-CertificateChain::CertificateChain (string const & filename)
-{
-	FILE* f = fopen (filename.c_str(), "r");
-	if (!f) {
-		throw FileError ("could not open file", filename);
-	}
-	
-	while (1) {
-		X509* c = 0;
-		if (!PEM_read_X509 (f, &c, 0, 0)) {
-			break;
-		}
-
-		_certificates.push_back (shared_ptr<Certificate> (new Certificate (c)));
-	}
-}
-
 shared_ptr<Certificate>
 CertificateChain::root () const
 {
@@ -195,3 +182,8 @@ CertificateChain::leaf_to_root () const
 	return c;
 }
 
+void
+CertificateChain::add (shared_ptr<Certificate> c)
+{
+	_certificates.push_back (c);
+}
diff --git a/src/certificates.h b/src/certificates.h
index db19a9db..e1a572ec 100644
--- a/src/certificates.h
+++ b/src/certificates.h
@@ -40,7 +40,8 @@ public:
 	Certificate ()
 		: _certificate (0)
 	{}
-	
+
+	Certificate (std::string const &);
 	Certificate (X509 *);
 	~Certificate ();
 
@@ -61,7 +62,8 @@ class CertificateChain
 {
 public:
 	CertificateChain () {}
-	CertificateChain (std::string const &);
+
+	void add (boost::shared_ptr<Certificate>);
 
 	boost::shared_ptr<Certificate> root () const;
 	boost::shared_ptr<Certificate> leaf () const;
diff --git a/src/crypt_chain.cc b/src/crypt_chain.cc
index 853d8c50..d0777859 100644
--- a/src/crypt_chain.cc
+++ b/src/crypt_chain.cc
@@ -3,17 +3,29 @@
 #include <boost/filesystem.hpp>
 #include <boost/algorithm/string.hpp>
 #include "crypt_chain.h"
+#include "exceptions.h"
 
 using std::string;
 using std::ofstream;
 using std::ifstream;
 using std::stringstream;
+using std::cout;
+
+static void command (char const * c)
+{
+	int const r = system (c);
+	if (WEXITSTATUS (r)) {
+		stringstream s;
+		s << "error in " << c << "\n";
+		throw libdcp::MiscError (s.str());
+	}
+}
 
 void
 libdcp::make_crypt_chain (string directory)
 {
 	boost::filesystem::current_path (directory);
-	system ("openssl genrsa -out ca.key 2048");
+	command ("openssl genrsa -out ca.key 2048");
 
 	{
 		ofstream f ("ca.cnf");
@@ -31,7 +43,7 @@ libdcp::make_crypt_chain (string directory)
 		  << "CN = Entity and dnQualifier\n";
 	}
 
-	system ("openssl rsa -outform PEM -pubout -in ca.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > ca_dnq");
+	command ("openssl rsa -outform PEM -pubout -in ca.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > ca_dnq");
 
 	string ca_dnq;
 
@@ -46,10 +58,10 @@ libdcp::make_crypt_chain (string directory)
 	{
 		stringstream c;
 		c << "openssl req -new -x509 -sha256 -config ca.cnf -days 3650 -set_serial 5 -subj " << ca_subject << " -key ca.key -outform PEM -out ca.self-signed.pem";
-		system (c.str().c_str());
+		command (c.str().c_str());
 	}
 
-	system ("openssl genrsa -out intermediate.key 2048");
+	command ("openssl genrsa -out intermediate.key 2048");
 
 	{
 		ofstream f ("intermediate.cnf");
@@ -67,7 +79,7 @@ libdcp::make_crypt_chain (string directory)
 		  << "CN = Entity and dnQualifier\n";
 	}
 
-	system ("openssl rsa -outform PEM -pubout -in intermediate.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > inter_dnq");
+	command ("openssl rsa -outform PEM -pubout -in intermediate.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > inter_dnq");
 	
 	string inter_dnq;
 
@@ -82,13 +94,13 @@ libdcp::make_crypt_chain (string directory)
 	{
 		stringstream s;
 		s << "openssl req -new -config intermediate.cnf -days 3649 -subj " << inter_subject << " -key intermediate.key -out intermediate.csr";
-		system (s.str().c_str());
+		command (s.str().c_str());
 	}
 
 	
-	system ("openssl x509 -req -sha256 -days 3649 -CA ca.self-signed.pem -CAkey ca.key -set_serial 6 -in intermediate.csr -extfile intermediate.cnf -extensions v3_ca -out intermediate.signed.pem");
+	command ("openssl x509 -req -sha256 -days 3649 -CA ca.self-signed.pem -CAkey ca.key -set_serial 6 -in intermediate.csr -extfile intermediate.cnf -extensions v3_ca -out intermediate.signed.pem");
 
-	system ("openssl genrsa -out leaf.key 2048");
+	command ("openssl genrsa -out leaf.key 2048");
 
 	{
 		ofstream f ("leaf.cnf");
@@ -106,7 +118,7 @@ libdcp::make_crypt_chain (string directory)
 		  << "CN = Entity and dnQualifier\n";
 	}
 
-	system ("openssl rsa -outform PEM -pubout -in leaf.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > leaf_dnq");
+	command ("openssl rsa -outform PEM -pubout -in leaf.key | openssl base64 -d | dd bs=1 skip=24 2>/dev/null | openssl sha1 -binary | openssl base64 > leaf_dnq");
 	
 	string leaf_dnq;
 
@@ -121,8 +133,8 @@ libdcp::make_crypt_chain (string directory)
 	{
 		stringstream s;
 		s << "openssl req -new -config leaf.cnf -days 3648 -subj " << leaf_subject << " -key leaf.key -outform PEM -out leaf.csr";
-		system (s.str().c_str());
+		command (s.str().c_str());
 	}
 
-	system ("openssl x509 -req -sha256 -days 3648 -CA intermediate.signed.pem -CAkey intermediate.key -set_serial 7 -in leaf.csr -extfile leaf.cnf -extensions v3_ca -out leaf.signed.pem");
+	command ("openssl x509 -req -sha256 -days 3648 -CA intermediate.signed.pem -CAkey intermediate.key -set_serial 7 -in leaf.csr -extfile leaf.cnf -extensions v3_ca -out leaf.signed.pem");
 }
diff --git a/src/dcp.cc b/src/dcp.cc
index 45ff69d1..54ab6660 100644
--- a/src/dcp.cc
+++ b/src/dcp.cc
@@ -54,27 +54,26 @@ using namespace libdcp;
 
 DCP::DCP (string directory)
 	: _directory (directory)
-	, _encrypted (false)
 {
 	boost::filesystem::create_directories (directory);
 }
 
 void
-DCP::write_xml () const
+DCP::write_xml (shared_ptr<Encryption> crypt) const
 {
 	for (list<shared_ptr<const CPL> >::const_iterator i = _cpls.begin(); i != _cpls.end(); ++i) {
-		(*i)->write_xml (_encrypted, _certificates, _signer_key);
+		(*i)->write_xml (crypt);
 	}
 
 	string pkl_uuid = make_uuid ();
-	string pkl_path = write_pkl (pkl_uuid);
+	string pkl_path = write_pkl (pkl_uuid, crypt);
 	
 	write_volindex ();
 	write_assetmap (pkl_uuid, boost::filesystem::file_size (pkl_path));
 }
 
 std::string
-DCP::write_pkl (string pkl_uuid) const
+DCP::write_pkl (string pkl_uuid, shared_ptr<Encryption> crypt) const
 {
 	assert (!_cpls.empty ());
 	
@@ -86,7 +85,7 @@ DCP::write_pkl (string pkl_uuid) const
 
 	xmlpp::Document doc;
 	xmlpp::Element* pkl = doc.create_root_node("PackingList", "http://www.smpte-ra.org/schemas/429-8/2007/PKL");
-	if (_encrypted) {
+	if (crypt) {
 		pkl->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "dsig");
 	}
 
@@ -109,8 +108,8 @@ DCP::write_pkl (string pkl_uuid) const
 		}
 	}
 
-	if (_encrypted) {
-		sign (pkl, _certificates, _signer_key);
+	if (crypt) {
+		sign (pkl, crypt->certificates, crypt->signer_key);
 	}
 		
 	doc.write_to_file_formatted (p.string(), "UTF-8");
@@ -435,7 +434,7 @@ CPL::add_reel (shared_ptr<const Reel> reel)
 }
 
 void
-CPL::write_xml (bool encrypted, CertificateChain const & certificates, string const & signer_key) const
+CPL::write_xml (shared_ptr<Encryption> crypt) const
 {
 	boost::filesystem::path p;
 	p /= _directory;
@@ -446,7 +445,7 @@ CPL::write_xml (bool encrypted, CertificateChain const & certificates, string co
 	xmlpp::Document doc;
 	xmlpp::Element* cpl = doc.create_root_node("CompositionPlaylist", "http://www.smpte-ra.org/schemas/429-7/2006/CPL");
 
-	if (encrypted) {
+	if (crypt) {
 		cpl->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "dsig");
 	}
 
@@ -470,8 +469,8 @@ CPL::write_xml (bool encrypted, CertificateChain const & certificates, string co
 		(*i)->write_to_cpl (reel_list);
 	}
 
-	if (encrypted) {
-		sign (cpl, certificates, signer_key);
+	if (crypt) {
+		sign (cpl, crypt->certificates, crypt->signer_key);
 	}
 
 	doc.write_to_file_formatted (p.string(), "UTF-8");
@@ -570,7 +569,13 @@ CPL::equals (CPL const & other, EqualityOptions opt, list<string>& notes) const
 }
 
 shared_ptr<xmlpp::Document>
-CPL::make_kdm (CertificateChain const & certificates, string const & signer_key, shared_ptr<const Certificate> recipient_cert) const
+CPL::make_kdm (
+	CertificateChain const & certificates,
+	string const & signer_key,
+	shared_ptr<const Certificate> recipient_cert,
+	boost::posix_time::ptime from,
+	boost::posix_time::ptime until
+	) const
 {
 	shared_ptr<xmlpp::Document> doc (new xmlpp::Document);
 	xmlpp::Element* root = doc->create_root_node ("DCinemaSecurityMessage");
diff --git a/src/dcp.h b/src/dcp.h
index 96b28090..63e579de 100644
--- a/src/dcp.h
+++ b/src/dcp.h
@@ -28,6 +28,7 @@
 #include <vector>
 #include <boost/shared_ptr.hpp>
 #include <boost/signals2.hpp>
+#include <boost/date_time/posix_time/posix_time.hpp>
 #include "types.h"
 #include "certificates.h"
 
@@ -47,6 +48,18 @@ class SubtitleAsset;
 class Reel;
 class AssetMap;
 
+class Encryption
+{
+public:
+	Encryption (CertificateChain c, std::string const & k)
+		: certificates (c)
+		, signer_key (k)
+	{}
+
+	CertificateChain certificates;
+	std::string signer_key;
+};
+
 class CPL
 {
 public:
@@ -87,11 +100,17 @@ public:
 	
 	bool equals (CPL const & other, EqualityOptions options, std::list<std::string>& notes) const;
 	
-	void write_xml (bool, CertificateChain const &, std::string const &) const;
+	void write_xml (boost::shared_ptr<Encryption>) const;
 	void write_to_assetmap (std::ostream& s) const;
 	void write_to_pkl (xmlpp::Element* p) const;
 
-	boost::shared_ptr<xmlpp::Document> make_kdm (CertificateChain const &, std::string const &, boost::shared_ptr<const Certificate>) const;
+	boost::shared_ptr<xmlpp::Document> make_kdm (
+		CertificateChain const &,
+		std::string const &,
+		boost::shared_ptr<const Certificate>,
+		boost::posix_time::ptime from,
+		boost::posix_time::ptime until
+		) const;
 	
 private:
 	std::string _directory;
@@ -138,7 +157,7 @@ public:
 	/** Write the required XML files to the directory that was
 	 *  passed into the constructor.
 	 */
-	void write_xml () const;
+	void write_xml (boost::shared_ptr<Encryption> crypt = boost::shared_ptr<Encryption> ()) const;
 
 	/** Compare this DCP with another, according to various options.
 	 *  @param other DCP to compare this one to.
@@ -154,26 +173,6 @@ public:
 		return _cpls;
 	}
 
-	void set_encrypted (bool e) {
-		_encrypted = e;
-	}
-
-	void set_certificates (CertificateChain const & c) {
-		_certificates = c;
-	}
-
-	CertificateChain certificates () const {
-		return _certificates;
-	}
-
-	void set_signer_key (std::string const & s) {
-		_signer_key = s;
-	}
-
-	std::string signer_key () const {
-		return _signer_key;
-	}
-
 	/** Emitted with a parameter between 0 and 1 to indicate progress
 	 *  for long jobs.
 	 */
@@ -184,7 +183,7 @@ private:
 	/** Write the PKL file.
 	 *  @param pkl_uuid UUID to use.
 	 */
-	std::string write_pkl (std::string pkl_uuid) const;
+	std::string write_pkl (std::string pkl_uuid, boost::shared_ptr<Encryption>) const;
 	
 	/** Write the VOLINDEX file */
 	void write_volindex () const;
@@ -206,10 +205,6 @@ private:
 	/** the directory that we are writing to */
 	std::string _directory;
 	std::list<boost::shared_ptr<const CPL> > _cpls;
-
-	bool _encrypted;
-	CertificateChain _certificates;
-	std::string _signer_key;
 };
 
 }
diff --git a/src/wscript b/src/wscript
index 41ebf7a7..0922cb56 100644
--- a/src/wscript
+++ b/src/wscript
@@ -7,7 +7,7 @@ def build(bld):
     obj.name = 'libdcp'
     obj.target = 'dcp'
     obj.export_includes = ['.']
-    obj.uselib = 'BOOST_FILESYSTEM BOOST_SIGNALS2 OPENSSL SIGC++ LIBXML++ OPENJPEG XMLSEC1'
+    obj.uselib = 'BOOST_FILESYSTEM BOOST_SIGNALS2 BOOST_DATETIME OPENSSL SIGC++ LIBXML++ OPENJPEG XMLSEC1'
     obj.use = 'libkumu-libdcp libasdcp-libdcp'
     obj.source = """
                  asset.cc
author	Carl Hetherington <cth@carlh.net>	2013-01-11 00:25:11 +0000
committer	Carl Hetherington <cth@carlh.net>	2013-01-11 00:25:11 +0000
commit	67cf9c95d190b1f2a67d73c0a7f712e213b6e71a (patch)
tree	5330aa403ea22459ed257ee577aaeec84053c0a4 /src
parent	5265670cb158bee669e62a2953b41a624d324a36 (diff)