From: Carl Hetherington <cth@carlh.net>
Date: Fri, 22 Mar 2024 19:07:37 +0000 (+0100)
Subject: Add --decryption-key option to KDM CLI (#2790).
X-Git-Tag: v2.17.16~27
X-Git-Url: https://git.carlh.net/gitweb/?a=commitdiff_plain;h=472b44bf1bbeb34cf9c130b9cede0eac7a298e82;hp=d8f19a9c494f1a48bdaa211d07c2bb29e58861c7;p=dcpomatic.git

Add --decryption-key option to KDM CLI (#2790).
---

diff --git a/src/lib/kdm_cli.cc b/src/lib/kdm_cli.cc
index 244c108ad..5666da79b 100644
--- a/src/lib/kdm_cli.cc
+++ b/src/lib/kdm_cli.cc
@@ -75,6 +75,8 @@ help (std::function<void (string)> out)
 	out ("  -S, --screen <name>                      screen name (when using -C) or screen name (to filter screens when using -c)");
 	out ("  -C, --projector-certificate <file>       file containing projector certificate");
 	out ("  -T, --trusted-device-certificate <file>  file containing a trusted device's certificate");
+	out ("      --decryption-key <file>              file containing the private key which can decrypt the given DKDM");
+	out ("                                           (DCP-o-matic's configured private key will be used otherwise)");
 	out ("      --cinemas-file <file>                use the given file as a list of cinemas instead of the current configuration");
 	out ("      --list-cinemas                       list known cinemas from the DCP-o-matic settings");
 	out ("      --list-dkdm-cpls                     list CPLs for which DCP-o-matic has DKDMs");
@@ -448,6 +450,7 @@ try
 	optional<string> cinema_name;
 	shared_ptr<Cinema> cinema;
 	optional<boost::filesystem::path> projector_certificate;
+	optional<boost::filesystem::path> decryption_key;
 	optional<string> screen;
 	vector<shared_ptr<Screen>> screens;
 	optional<dcp::EncryptedKDM> dkdm;
@@ -489,13 +492,14 @@ try
 			{ "screen", required_argument, 0, 'S' },
 			{ "projector-certificate", required_argument, 0, 'C' },
 			{ "trusted-device-certificate", required_argument, 0, 'T' },
+			{ "decryption-key", required_argument, 0, 'G' },
 			{ "list-cinemas", no_argument, 0, 'B' },
 			{ "list-dkdm-cpls", no_argument, 0, 'D' },
 			{ "cinemas-file", required_argument, 0, 'E' },
 			{ 0, 0, 0, 0 }
 		};
 
-		int c = getopt_long (argc, argv, "ho:K:Z:f:t:d:F:pae::zvc:S:C:T:BDE:", long_options, &option_index);
+		int c = getopt_long (argc, argv, "ho:K:Z:f:t:d:F:pae::zvc:S:C:T:BDE:G:", long_options, &option_index);
 
 		if (c == -1) {
 			break;
@@ -579,6 +583,9 @@ try
 				screens.back()->trusted_devices.push_back(TrustedDevice(dcp::Certificate(dcp::file_to_string(optarg))));
 			}
 			break;
+		case 'G':
+			decryption_key = optarg;
+			break;
 		case 'B':
 			list_cinemas = true;
 			break;
@@ -679,9 +686,11 @@ try
 			throw KDMCLIError ("could not find film or CPL ID corresponding to " + thing);
 		}
 
+		string const key = decryption_key ? dcp::file_to_string(*decryption_key) : Config::instance()->decryption_chain()->key().get();
+
 		from_dkdm (
 			screens,
-			dcp::DecryptedKDM (*dkdm, Config::instance()->decryption_chain()->key().get()),
+			dcp::DecryptedKDM(*dkdm, key),
 			verbose,
 			output,
 			container_name_format,
diff --git a/test/kdm_cli_test.cc b/test/kdm_cli_test.cc
index 720cdc01f..0ebb5e714 100644
--- a/test/kdm_cli_test.cc
+++ b/test/kdm_cli_test.cc
@@ -22,6 +22,7 @@
 #include "lib/cinema.h"
 #include "lib/config.h"
 #include "lib/content_factory.h"
+#include "lib/cross.h"
 #include "lib/film.h"
 #include "lib/kdm_cli.h"
 #include "lib/screen.h"
@@ -39,7 +40,7 @@ using boost::optional;
 
 
 optional<string>
-run(vector<string> const& args, vector<string>& output)
+run(vector<string> const& args, vector<string>& output, bool dump_errors = true)
 {
 	std::vector<char*> argv(args.size());
 	for (auto i = 0U; i < args.size(); ++i) {
@@ -47,7 +48,7 @@ run(vector<string> const& args, vector<string>& output)
 	}
 
 	auto error = kdm_cli(args.size(), argv.data(), [&output](string s) { output.push_back(s); });
-	if (error) {
+	if (error && dump_errors) {
 		std::cout << *error << "\n";
 	}
 
@@ -80,6 +81,70 @@ BOOST_AUTO_TEST_CASE (kdm_cli_test_certificate)
 }
 
 
+BOOST_AUTO_TEST_CASE(kdm_cli_specify_decryption_key_test)
+{
+	using boost::filesystem::path;
+
+	ConfigRestorer cr;
+
+	path const dir = "build/test/kdm_cli_specify_decryption_key_test";
+
+	boost::system::error_code ec;
+	boost::filesystem::remove_all(dir, ec);
+	boost::filesystem::create_directories(dir);
+
+	dcp::CertificateChain chain(openssl_path(), 365);
+	dcp::write_string_to_file(chain.leaf().certificate(true), dir / "cert.pem");
+	dcp::write_string_to_file(*chain.key(), dir / "key.pem");
+
+	vector<string> make_args = {
+		"kdm_cli",
+		"--valid-from", "now",
+		"--valid-duration", "2 weeks",
+		"--projector-certificate", path(dir / "cert.pem").string(),
+		"-S", "base",
+		"-o", dir.string(),
+		"test/data/dkdm.xml"
+	};
+
+	vector<string> output;
+	auto error = run(make_args, output);
+	BOOST_CHECK(!error);
+
+	vector<string> bad_args = {
+		"kdm_cli",
+		"--valid-from", "now",
+		"--valid-duration", "2 weeks",
+		"--projector-certificate", path(dir / "cert.pem").string(),
+		"-S", "bad",
+		"-o", dir.string(),
+		path(dir / "KDM_Test_FTR-1_F-133_XX-XX_MOS_2K_20220109_SMPTE_OV__base.xml").string()
+	};
+
+	/* This should fail because we're using the wrong decryption certificate */
+	output.clear();
+	error = run(bad_args, output, false);
+	BOOST_REQUIRE(error);
+	BOOST_CHECK(error->find("oaep decoding error") != string::npos);
+
+	vector<string> good_args = {
+		"kdm_cli",
+		"--valid-from", "now",
+		"--valid-duration", "2 weeks",
+		"--projector-certificate", path(dir / "cert.pem").string(),
+		"--decryption-key", path(dir / "key.pem").string(),
+		"-S", "good",
+		"-o", dir.string(),
+		path(dir / "KDM_Test_FTR-1_F-133_XX-XX_MOS_2K_20220109_SMPTE_OV__base.xml").string()
+	};
+
+	/* This should succeed */
+	output.clear();
+	error = run(good_args, output);
+	BOOST_CHECK(!error);
+}
+
+
 static
 void
 setup_test_config()