Check that KDM validity periods are safely within the validity periods

of the signing certificate chain.

This does cause problems when you try to create a KDM for a certificate
you just made (due to the fact that certificates always have a start-valid
time of "now") but hopefully this can be fixed up in another commit.

6 files changed, 85 insertions, 0 deletions

diff --git a/src/decrypted_kdm.cc b/src/decrypted_kdm.cc
index 4bd9a9d5..9468aabc 100644
--- a/src/decrypted_kdm.cc
+++ b/src/decrypted_kdm.cc
@@ -312,6 +312,14 @@ DecryptedKDM::encrypt (
 {
 	DCP_ASSERT (!_keys.empty ());
 
+	BOOST_FOREACH (dcp::Certificate i, signer->leaf_to_root()) {
+		if (day_greater_than_or_equal(i.not_before(), _not_valid_before)) {
+			throw BadKDMDateError (true);
+		} else if (day_less_than_or_equal(i.not_after(), _not_valid_after)) {
+			throw BadKDMDateError (false);
+		}
+	}
+
 	list<pair<string, string> > key_ids;
 	list<string> keys;
 	BOOST_FOREACH (DecryptedKDMKey const & i, _keys) {
diff --git a/src/exceptions.cc b/src/exceptions.cc
index 0b8978dc..19422090 100644
--- a/src/exceptions.cc
+++ b/src/exceptions.cc
@@ -138,3 +138,14 @@ EmptyAssetPathError::EmptyAssetPathError (string id)
 {
 
 }
+
+BadKDMDateError::BadKDMDateError (bool starts_too_early)
+	: runtime_error (
+		starts_too_early ?
+		"KDM validity period starts before or close to the start of the signing certificate validity period" :
+		"KDM validity ends after or close to the end of the signing certificate's validity period"
+		)
+	, _starts_too_early (starts_too_early)
+{
+
+}
diff --git a/src/exceptions.h b/src/exceptions.h
index 1e9bd2d7..17b18eb2 100644
--- a/src/exceptions.h
+++ b/src/exceptions.h
@@ -234,6 +234,19 @@ public:
 	EmptyAssetPathError (std::string id);
 };
 
+class BadKDMDateError : public std::runtime_error
+{
+public:
+	BadKDMDateError (bool starts_too_early);
+
+	bool starts_too_early () const {
+		return _starts_too_early;
+	}
+
+private:
+	bool _starts_too_early;
+};
+
 }
 
 #endif
diff --git a/src/local_time.h b/src/local_time.h
index 20658eb4..f5723783 100644
--- a/src/local_time.h
+++ b/src/local_time.h
@@ -66,6 +66,22 @@ public:
 	std::string date () const;
 	std::string time_of_day (bool with_second, bool with_millisecond) const;
 
+	int day () const {
+		return _day;
+	}
+
+	int month () const {
+		return _month;
+	}
+
+	int year () const {
+		return _year;
+	}
+
+	void set_year (int y) {
+		_year = y;
+	}
+
 	bool operator== (LocalTime const & other) const;
 	bool operator!= (LocalTime const & other) const;
 	bool operator< (LocalTime const & other) const;
diff --git a/src/util.cc b/src/util.cc
index d5b6cb9f..c6313b4c 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -376,3 +376,37 @@ dcp::indent (xmlpp::Element* element, int initial)
 		element->add_child_text (last, "\n" + spaces(initial));
 	}
 }
+
+/** @return true if the day represented by \ref a is less than or
+ *  equal to the one represented by \ref b, ignoring the time parts.
+ */
+bool
+dcp::day_less_than_or_equal (struct tm a, LocalTime b)
+{
+	if ((a.tm_year + 1900) != b.year()) {
+		return (a.tm_year + 1900) < b.year();
+	}
+
+	if ((a.tm_mon + 1) != b.month()) {
+		return (a.tm_mon + 1) < b.month();
+	}
+
+	return a.tm_mday <= b.day();
+}
+
+/** @return true if the day represented by \ref a is greater than or
+ *  equal to the one represented by \ref b, ignoring the time parts.
+ */
+bool
+dcp::day_greater_than_or_equal (struct tm a, LocalTime b)
+{
+	if ((a.tm_year + 1900) != b.year()) {
+		return (a.tm_year + 1900) > b.year();
+	}
+
+	if ((a.tm_mon + 1) != b.month()) {
+		return (a.tm_mon + 1) > b.month();
+	}
+
+	return a.tm_mday >= b.day();
+}
diff --git a/src/util.h b/src/util.h
index 992c5a61..b2bddd5a 100644
--- a/src/util.h
+++ b/src/util.h
@@ -40,6 +40,7 @@
 
 #include "types.h"
 #include "data.h"
+#include "local_time.h"
 #include <boost/shared_ptr.hpp>
 #include <boost/function.hpp>
 #include <boost/filesystem.hpp>
@@ -75,6 +76,8 @@ extern xmlpp::Node* find_child (xmlpp::Node const * node, std::string name);
 extern std::string openjpeg_version();
 extern std::string spaces (int n);
 extern void indent (xmlpp::Element* element, int initial);
+extern bool day_less_than_or_equal (struct tm a, LocalTime b);
+extern bool day_greater_than_or_equal (struct tm a, LocalTime b);
 
 }