2 Copyright (C) 2013 Carl Hetherington <cth@carlh.net>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include <boost/algorithm/string.hpp>
23 #include <openssl/rsa.h>
24 #include <openssl/pem.h>
25 #include <openssl/err.h>
26 #include <libcxml/cxml.h>
31 #include "compose.hpp"
32 #include "exceptions.h"
35 #include "mxf_asset.h"
36 #include "xml/kdm_smpte.h"
40 using std::stringstream;
45 using boost::shared_ptr;
46 using namespace libdcp;
48 KDM::KDM (boost::filesystem::path kdm, boost::filesystem::path private_key)
49 : xml_kdm (new xml::DCinemaSecurityMessage (kdm))
51 /* Read the private key */
53 FILE* private_key_file = fopen (private_key.string().c_str(), "r");
54 if (!private_key_file) {
55 throw FileError ("could not find RSA private key file", private_key);
58 RSA* rsa = PEM_read_RSAPrivateKey (private_key_file, 0, 0, 0);
59 fclose (private_key_file);
61 throw FileError ("could not read RSA private key file", private_key);
64 /* Use it to decrypt the keys */
66 list<string> encrypted_keys = xml_kdm->authenticated_private.encrypted_keys;
68 for (list<string>::iterator i = encrypted_keys.begin(); i != encrypted_keys.end(); ++i) {
70 /* Decode the base-64-encoded cipher value from the KDM */
71 unsigned char cipher_value[256];
72 int const cipher_value_len = base64_decode (*i, cipher_value, sizeof (cipher_value));
75 unsigned char* decrypted = new unsigned char[RSA_size(rsa)];
76 int const decrypted_len = RSA_private_decrypt (cipher_value_len, cipher_value, decrypted, rsa, RSA_PKCS1_OAEP_PADDING);
77 if (decrypted_len == -1) {
79 throw MiscError (String::compose ("Could not decrypt KDM (%1)", ERR_error_string (ERR_get_error(), 0)));
82 _keys.push_back (KDMKey (decrypted, decrypted_len));
90 shared_ptr<const CPL> cpl, shared_ptr<const Signer> signer, shared_ptr<const Certificate> recipient_cert,
91 boost::posix_time::ptime not_valid_before, boost::posix_time::ptime not_valid_after,
92 MXFMetadata mxf_metadata, XMLMetadata xml_metadata
94 : xml_kdm (new xml::DCinemaSecurityMessage)
96 xml::AuthenticatedPublic& apu = xml_kdm->authenticated_public;
98 /* AuthenticatedPublic */
100 apu.message_type = "urn:uuid:" + make_uuid ();
101 apu.annotation_text = mxf_metadata.product_name;
102 apu.issue_date = xml_metadata.issue_date;
103 apu.signer.x509_issuer_name = signer->certificates().leaf()->issuer ();
104 apu.signer.x509_serial_number = signer->certificates().leaf()->serial ();
105 apu.recipient.x509_issuer_serial.x509_issuer_name = recipient_cert->issuer ();
106 apu.recipient.x509_issuer_serial.x509_serial_number = recipient_cert->serial ();
107 apu.recipient.x509_subject_name = recipient_cert->subject ();
108 apu.composition_playlist_id = "urn:uuid:" + cpl->id ();
109 apu.content_title_text = cpl->name ();
110 apu.content_keys_not_valid_before = ptime_to_string (not_valid_before);
111 apu.content_keys_not_valid_after = ptime_to_string (not_valid_after);
112 apu.authorized_device_info.device_list_identifier = "urn:uuid:" + make_uuid ();
113 apu.authorized_device_info.device_list_description = recipient_cert->subject ();
114 apu.authorized_device_info.device_list.push_back (recipient_cert->thumbprint ());
116 list<shared_ptr<const Asset> > assets = cpl->assets ();
117 for (list<shared_ptr<const Asset> >::iterator i = assets.begin(); i != assets.end(); ++i) {
118 /* XXX: non-MXF assets? */
119 shared_ptr<const MXFAsset> mxf = boost::dynamic_pointer_cast<const MXFAsset> (*i);
121 apu.key_id_list.push_back (xml::TypedKeyId (mxf->key_type(), "urn:uuid:" + mxf->key_id()));
125 apu.forensic_mark_flag_list.push_back ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable");
126 apu.forensic_mark_flag_list.push_back ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable");
128 /* AuthenticatedPrivate */
130 for (list<shared_ptr<const Asset> >::iterator i = assets.begin(); i != assets.end(); ++i) {
131 /* XXX: non-MXF assets? */
132 shared_ptr<const MXFAsset> mxf = boost::dynamic_pointer_cast<const MXFAsset> (*i);
134 xml_kdm->authenticated_private.encrypted_keys.push_back (
135 KDMKey (signer, cpl->id (), mxf->key_id (), not_valid_before, not_valid_after, mxf->key().get()).base64 ()
142 shared_ptr<xmlpp::Document> doc = xml_kdm->as_xml ();
143 shared_ptr<cxml::Node> root (new cxml::Node (doc->get_root_node ()));
144 xmlpp::Node* signature = root->node_child("Signature")->node();
145 signer->add_signature_value (signature, "ds");
146 xml_kdm->signature = xml::Signature (shared_ptr<cxml::Node> (new cxml::Node (signature)));
150 KDM::as_xml (boost::filesystem::path path) const
152 shared_ptr<xmlpp::Document> doc = xml_kdm->as_xml ();
153 doc->write_to_file_formatted (path.string(), "UTF-8");
156 KDMKey::KDMKey (shared_ptr<const Signer> signer, string cpl_id, string key_id, boost::posix_time::ptime from, boost::posix_time::ptime until, Key key)
159 , _not_valid_before (ptime_to_string (from))
160 , _not_valid_after (ptime_to_string (until))
163 base64_decode (signer->certificates().leaf()->thumbprint (), _signer_thumbprint, 20);
166 KDMKey::KDMKey (uint8_t const * raw, int len)
171 /* [0-15] is structure id (fixed sequence specified by standard) */
173 get (_signer_thumbprint, &raw, 20);
174 _cpl_id = get_uuid (&raw);
175 _key_id = get_uuid (&raw);
176 _not_valid_before = get (&raw, 25);
177 _not_valid_after = get (&raw, 25);
182 /* [0-15] is structure id (fixed sequence specified by standard) */
184 get (_signer_thumbprint, &raw, 20);
185 _cpl_id = get_uuid (&raw);
186 _key_type = get (&raw, 4);
187 _key_id = get_uuid (&raw);
188 _not_valid_before = get (&raw, 25);
189 _not_valid_after = get (&raw, 25);
197 KDMKey::KDMKey (KDMKey const & other)
198 : _cpl_id (other._cpl_id)
199 , _key_type (other._key_type)
200 , _key_id (other._key_id)
201 , _not_valid_before (other._not_valid_before)
202 , _not_valid_after (other._not_valid_after)
205 memcpy (_signer_thumbprint, other._signer_thumbprint, 20);
209 KDMKey::operator= (KDMKey const & other)
211 if (&other == this) {
215 _cpl_id = other._cpl_id;
216 _key_type = other._key_type;
217 _key_id = other._key_id;
218 _not_valid_before = other._not_valid_before;
219 _not_valid_after = other._not_valid_after;
221 memcpy (_signer_thumbprint, other._signer_thumbprint, 20);
227 KDMKey::base64 () const
229 /* XXX: SMPTE only */
233 /* Magic value specified by SMPTE S430-1-2006 */
234 uint8_t structure_id[] = { 0xf1, 0xdc, 0x12, 0x44, 0x60, 0x16, 0x9a, 0x0e, 0x85, 0xbc, 0x30, 0x06, 0x42, 0xf8, 0x66, 0xab };
235 put (&p, structure_id, 16);
236 put (&p, _signer_thumbprint, 20);
237 put_uuid (&p, _cpl_id);
239 put_uuid (&p, _key_id);
240 put (&p, _not_valid_before);
241 put (&p, _not_valid_after);
242 put (&p, _key.value(), ASDCP::KeyLen);
244 /* Lazy overallocation */
245 char string[138 * 2];
246 return Kumu::base64encode (block, 138, string, 138 * 2);
250 KDMKey::get (uint8_t const ** p, int N) const
253 for (int i = 0; i < N; ++i) {
262 KDMKey::get (uint8_t* o, uint8_t const ** p, int N) const
269 KDMKey::get_uuid (unsigned char const ** p) const
273 for (int i = 0; i < 16; ++i) {
274 g << setw(2) << setfill('0') << hex << static_cast<int> (**p);
276 if (i == 3 || i == 5 || i == 7 || i == 9) {
285 KDMKey::put (uint8_t ** d, uint8_t const * s, int N) const
292 KDMKey::put (uint8_t ** d, string s) const
294 memcpy (*d, s.c_str(), s.length());
299 KDMKey::put_uuid (uint8_t ** d, string id) const
301 id.erase (std::remove (id.begin(), id.end(), '-'));
302 for (int i = 0; i < 32; i += 2) {
304 s << id[i] << id[i + 1];