- kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
- } else if (formulation == DCI_SPECIFIC) {
- /* Use the recipient and other trusted device thumbprints */
- kre.authorized_device_info.certificate_thumbprints.push_back (recipient.thumbprint ());
- BOOST_FOREACH (Certificate const & i, trusted_devices) {
- kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
+ kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+ } else if (formulation == Formulation::MULTIPLE_MODIFIED_TRANSITIONAL_1 || formulation == Formulation::DCI_SPECIFIC) {
+ if (trusted_devices.empty ()) {
+ /* Fall back on the "assume trust" thumbprint so we
+ can generate "modified-transitional-1" KDMs
+ together with "multiple-modified-transitional-1"
+ KDMs in one go, and similarly for "dci-any" etc.
+ */
+ kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+ } else {
+ /* As I read the standard we should use the
+ recipient /and/ other trusted device thumbprints
+ here. MJD reports that this doesn't work with
+ his setup; a working KDM does not include the
+ recipient's thumbprint (recipient.thumbprint()).
+ Waimea uses only the trusted devices here, too.
+ */
+ for (auto i: trusted_devices) {
+ kre.authorized_device_info->certificate_thumbprints.push_back(i);
+ }