projects
/
dcpomatic.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
a65efe6
)
swaroop: encrypt decryption private key with motherboard UUID.
author
Carl Hetherington
<cth@carlh.net>
Sun, 23 Dec 2018 21:04:38 +0000
(21:04 +0000)
committer
Carl Hetherington
<cth@carlh.net>
Sun, 23 Dec 2018 21:04:49 +0000
(21:04 +0000)
src/lib/config.cc
patch
|
blob
|
history
src/lib/config.h
patch
|
blob
|
history
src/lib/cross.cc
patch
|
blob
|
history
src/lib/cross.h
patch
|
blob
|
history
src/lib/crypto.cc
patch
|
blob
|
history
src/lib/crypto.h
patch
|
blob
|
history
test/crypto_test.cc
patch
|
blob
|
history
diff --git
a/src/lib/config.cc
b/src/lib/config.cc
index e61eea3a6f89f7cd916be30b9cb8a54aa595dc95..172890dcfbc34610a83a1d5b26ec64cdd0a6108f 100644
(file)
--- a/
src/lib/config.cc
+++ b/
src/lib/config.cc
@@
-32,6
+32,7
@@
#include "film.h"
#include "dkdm_wrapper.h"
#include "compose.hpp"
#include "film.h"
#include "dkdm_wrapper.h"
#include "compose.hpp"
+#include "crypto.h"
#include <dcp/raw_convert.h>
#include <dcp/name_format.h>
#include <dcp/certificate_chain.h>
#include <dcp/raw_convert.h>
#include <dcp/name_format.h>
#include <dcp/certificate_chain.h>
@@
-61,6
+62,7
@@
using boost::shared_ptr;
using boost::optional;
using boost::dynamic_pointer_cast;
using boost::algorithm::trim;
using boost::optional;
using boost::dynamic_pointer_cast;
using boost::algorithm::trim;
+using boost::shared_array;
using dcp::raw_convert;
Config* Config::_instance = 0;
using dcp::raw_convert;
Config* Config::_instance = 0;
@@
-435,7
+437,19
@@
try
BOOST_FOREACH (cxml::NodePtr i, decryption->node_children ("Certificate")) {
c->add (dcp::Certificate (i->content ()));
}
BOOST_FOREACH (cxml::NodePtr i, decryption->node_children ("Certificate")) {
c->add (dcp::Certificate (i->content ()));
}
- c->set_key (decryption->string_child ("PrivateKey"));
+ optional<string> key = decryption->optional_string_child ("PrivateKey");
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+ if (key) {
+ c->set_key (*key);
+ } else {
+ dcp::Data encrypted_key (path("private"));
+ dcp::Data iv (path("iv"));
+ c->set_key (dcpomatic::decrypt (encrypted_key, key_from_uuid(), iv));
+ }
+#else
+ DCPOMATIC_ASSERT (key);
+ c->set_key (*key);
+#endif
_decryption_chain = c;
} else {
_decryption_chain = create_certificate_chain ();
_decryption_chain = c;
} else {
_decryption_chain = create_certificate_chain ();
@@
-599,6
+613,19
@@
Config::write () const
write_cinemas ();
}
write_cinemas ();
}
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+/* Make up a key from the machine UUID */
+dcp::Data
+Config::key_from_uuid () const
+{
+ dcp::Data key (dcpomatic::crypto_key_length());
+ memset (key.data().get(), 0, key.size());
+ string const magic = command_and_read ("dcpomatic2_uuid");
+ strncpy ((char *) key.data().get(), magic.c_str(), dcpomatic::crypto_key_length());
+ return key;
+}
+#endif
+
void
Config::write_config () const
{
void
Config::write_config () const
{
@@
-771,18
+798,7
@@
Config::write_config () const
BOOST_FOREACH (dcp::Certificate const & i, _signer_chain->unordered()) {
signer->add_child("Certificate")->add_child_text (i.certificate (true));
}
BOOST_FOREACH (dcp::Certificate const & i, _signer_chain->unordered()) {
signer->add_child("Certificate")->add_child_text (i.certificate (true));
}
-#ifdef DCPOMATIC_SWAROOP
- FILE* f = fopen_boost (path("private"), "wb");
- if (!f) {
- throw FileError ("Could not open file for writing", path("private"));
- }
- shared_array<uint8_t> iv = dcpomatic::random_iv ();
- dcp::Data encrypted_key = dcpomatic::encrypt (_signer_chain->key().get(), key, iv);
- fwrite (encrypted_key.data().get(), encrypted_key.data().size(), 1, f);
- fclose (f);
-#else
signer->add_child("PrivateKey")->add_child_text (_signer_chain->key().get ());
signer->add_child("PrivateKey")->add_child_text (_signer_chain->key().get ());
-#endif
/* [XML] Decryption Certificate chain and private key to use when decrypting KDMs */
xmlpp::Element* decryption = root->add_child ("Decryption");
/* [XML] Decryption Certificate chain and private key to use when decrypting KDMs */
xmlpp::Element* decryption = root->add_child ("Decryption");
@@
-790,7
+806,14
@@
Config::write_config () const
BOOST_FOREACH (dcp::Certificate const & i, _decryption_chain->unordered()) {
decryption->add_child("Certificate")->add_child_text (i.certificate (true));
}
BOOST_FOREACH (dcp::Certificate const & i, _decryption_chain->unordered()) {
decryption->add_child("Certificate")->add_child_text (i.certificate (true));
}
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+ dcp::Data iv = dcpomatic::random_iv ();
+ dcp::Data encrypted_key = dcpomatic::encrypt (_decryption_chain->key().get(), key_from_uuid(), iv);
+ encrypted_key.write (path("private"));
+ iv.write (path("iv"));
+#else
decryption->add_child("PrivateKey")->add_child_text (_decryption_chain->key().get ());
decryption->add_child("PrivateKey")->add_child_text (_decryption_chain->key().get ());
+#endif
/* [XML] History Filename of DCP to present in the <guilabel>File</guilabel> menu of the GUI; there can be more than one
of these tags.
/* [XML] History Filename of DCP to present in the <guilabel>File</guilabel> menu of the GUI; there can be more than one
of these tags.
diff --git
a/src/lib/config.h
b/src/lib/config.h
index 0e5f9dfd17f78ffabf4910fd1a109b257888f724..e28928226c59c43d36c4ceed2fa6829e62ff388b 100644
(file)
--- a/
src/lib/config.h
+++ b/
src/lib/config.h
@@
-1083,6
+1083,9
@@
private:
boost::filesystem::path directory_or (boost::optional<boost::filesystem::path> dir, boost::filesystem::path a) const;
void add_to_history_internal (std::vector<boost::filesystem::path>& h, boost::filesystem::path p);
void backup ();
boost::filesystem::path directory_or (boost::optional<boost::filesystem::path> dir, boost::filesystem::path a) const;
void add_to_history_internal (std::vector<boost::filesystem::path>& h, boost::filesystem::path p);
void backup ();
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+ dcp::Data key_from_uuid () const;
+#endif
template <class T>
void maybe_set (T& member, T new_value, Property prop = OTHER) {
template <class T>
void maybe_set (T& member, T new_value, Property prop = OTHER) {
diff --git
a/src/lib/cross.cc
b/src/lib/cross.cc
index e3fb22f3999544f69cd0be9be5e40b7e3fb2fb03..171bf2c8100767bb79d8d5b610767c768a44e705 100644
(file)
--- a/
src/lib/cross.cc
+++ b/
src/lib/cross.cc
@@
-474,3
+474,30
@@
home_directory ()
return boost::filesystem::path(getenv("HOMEDRIVE")) / boost::filesystem::path(getenv("HOMEPATH"));
#endif
}
return boost::filesystem::path(getenv("HOMEDRIVE")) / boost::filesystem::path(getenv("HOMEPATH"));
#endif
}
+
+string
+command_and_read (string cmd)
+{
+#ifdef DCPOMATIC_LINUX
+ FILE* pipe = popen (cmd.c_str(), "r");
+ if (!pipe) {
+ throw runtime_error ("popen failed");
+ }
+
+ string result;
+ char buffer[128];
+ try {
+ while (fgets(buffer, sizeof(buffer), pipe)) {
+ result += buffer;
+ }
+ } catch (...) {
+ pclose (pipe);
+ throw;
+ }
+
+ pclose (pipe);
+ return result;
+#endif
+
+ return "";
+}
diff --git
a/src/lib/cross.h
b/src/lib/cross.h
index ee5e7919a8191c1297afb5170850fe83c0ba7558..06e198e99ad7a371e899dbe3023a17b2314afd64 100644
(file)
--- a/
src/lib/cross.h
+++ b/
src/lib/cross.h
@@
-56,6
+56,7
@@
extern void start_player (boost::filesystem::path dcpomatic);
extern uint64_t thread_id ();
extern int avio_open_boost (AVIOContext** s, boost::filesystem::path file, int flags);
extern boost::filesystem::path home_directory ();
extern uint64_t thread_id ();
extern int avio_open_boost (AVIOContext** s, boost::filesystem::path file, int flags);
extern boost::filesystem::path home_directory ();
+extern std::string command_and_read (std::string cmd);
/** @class Waker
* @brief A class which tries to keep the computer awake on various operating systems.
/** @class Waker
* @brief A class which tries to keep the computer awake on various operating systems.
diff --git
a/src/lib/crypto.cc
b/src/lib/crypto.cc
index 69e041cb2cff83b70891240e46928e5152f31de8..b02a3d34c5959abb959a3c777a806fe569b82bfa 100644
(file)
--- a/
src/lib/crypto.cc
+++ b/
src/lib/crypto.cc
@@
-35,24
+35,24
@@
using namespace dcpomatic;
/** The cipher that this code uses */
#define CIPHER EVP_aes_256_cbc()
/** The cipher that this code uses */
#define CIPHER EVP_aes_256_cbc()
-shared_array<unsigned char>
+dcp::Data
dcpomatic::random_iv ()
{
EVP_CIPHER const * cipher = CIPHER;
dcpomatic::random_iv ()
{
EVP_CIPHER const * cipher = CIPHER;
-
shared_array<unsigned char> iv (new unsigned char[EVP_CIPHER_iv_length(cipher)]
);
- RAND_bytes (iv.
get(), EVP_CIPHER_iv_length(cipher
));
+
dcp::Data iv (EVP_CIPHER_iv_length(cipher)
);
+ RAND_bytes (iv.
data().get(), iv.size(
));
return iv;
}
dcp::Data
return iv;
}
dcp::Data
-dcpomatic::encrypt (string plaintext,
shared_array<unsigned char const> key, shared_array<unsigned char const>
iv)
+dcpomatic::encrypt (string plaintext,
dcp::Data key, dcp::Data
iv)
{
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new ();
if (!ctx) {
throw CryptoError ("could not create cipher context");
}
{
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new ();
if (!ctx) {
throw CryptoError ("could not create cipher context");
}
- int r = EVP_EncryptInit_ex (ctx, CIPHER, 0, key.
get(), iv
.get());
+ int r = EVP_EncryptInit_ex (ctx, CIPHER, 0, key.
data().get(), iv.data()
.get());
if (r != 1) {
throw CryptoError ("could not initialise cipher context for encryption");
}
if (r != 1) {
throw CryptoError ("could not initialise cipher context for encryption");
}
@@
-60,7
+60,7
@@
dcpomatic::encrypt (string plaintext, shared_array<unsigned char const> key, sha
dcp::Data ciphertext (plaintext.size() * 2);
int len;
dcp::Data ciphertext (plaintext.size() * 2);
int len;
- r = EVP_EncryptUpdate (ctx, ciphertext.data().get(), &len, (u
nsigned char
const *) plaintext.c_str(), plaintext.size());
+ r = EVP_EncryptUpdate (ctx, ciphertext.data().get(), &len, (u
int8_t
const *) plaintext.c_str(), plaintext.size());
if (r != 1) {
throw CryptoError ("could not encrypt data");
}
if (r != 1) {
throw CryptoError ("could not encrypt data");
}
@@
-80,14
+80,14
@@
dcpomatic::encrypt (string plaintext, shared_array<unsigned char const> key, sha
}
string
}
string
-dcpomatic::decrypt (dcp::Data ciphertext,
shared_array<unsigned char const> key, shared_array<unsigned char const>
iv)
+dcpomatic::decrypt (dcp::Data ciphertext,
dcp::Data key, dcp::Data
iv)
{
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new ();
if (!ctx) {
throw CryptoError ("could not create cipher context");
}
{
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new ();
if (!ctx) {
throw CryptoError ("could not create cipher context");
}
- int r = EVP_DecryptInit_ex (ctx, CIPHER, 0, key.
get(), iv
.get());
+ int r = EVP_DecryptInit_ex (ctx, CIPHER, 0, key.
data().get(), iv.data()
.get());
if (r != 1) {
throw CryptoError ("could not initialise cipher context for decryption");
}
if (r != 1) {
throw CryptoError ("could not initialise cipher context for decryption");
}
diff --git
a/src/lib/crypto.h
b/src/lib/crypto.h
index ea46162a4ab9151f56ce49073e186d5a2f74cc89..e450d4db1da729ad7b0299f0d479efffe1b69a7c 100644
(file)
--- a/
src/lib/crypto.h
+++ b/
src/lib/crypto.h
@@
-22,9
+22,9
@@
namespace dcpomatic {
namespace dcpomatic {
-
boost::shared_array<unsigned char>
random_iv ();
-dcp::Data encrypt (std::string plaintext,
boost::shared_array<unsigned char const> key, boost::shared_array<unsigned char const>
iv);
-std::string decrypt (dcp::Data ciphertext,
boost::shared_array<unsigned char const> key, boost::shared_array<unsigned char const>
iv);
+
dcp::Data
random_iv ();
+dcp::Data encrypt (std::string plaintext,
dcp::Data key, dcp::Data
iv);
+std::string decrypt (dcp::Data ciphertext,
dcp::Data key, dcp::Data
iv);
int crypto_key_length ();
}
int crypto_key_length ();
}
diff --git
a/test/crypto_test.cc
b/test/crypto_test.cc
index 576a6ebc6bdbb28772ebe940ecb82a1dfd941e5d..586535dfe3568332706485615cb5a798b470f0e4 100644
(file)
--- a/
test/crypto_test.cc
+++ b/
test/crypto_test.cc
@@
-30,15
+30,15
@@
using boost::shared_array;
BOOST_AUTO_TEST_CASE (crypto_test)
{
BOOST_AUTO_TEST_CASE (crypto_test)
{
-
shared_array<unsigned char> key (new unsigned char[dcpomatic::crypto_key_length()]
);
-
shared_array<unsigned char>
iv = dcpomatic::random_iv ();
+
dcp::Data key (dcpomatic::crypto_key_length()
);
+
dcp::Data
iv = dcpomatic::random_iv ();
- RAND_bytes (key.get(), dcpomatic::crypto_key_length());
+ RAND_bytes (key.
data().
get(), dcpomatic::crypto_key_length());
dcp::Data ciphertext = dcpomatic::encrypt ("Can you see any fish?", key, iv);
BOOST_REQUIRE_EQUAL (dcpomatic::decrypt (ciphertext, key, iv), "Can you see any fish?");
dcp::Data ciphertext = dcpomatic::encrypt ("Can you see any fish?", key, iv);
BOOST_REQUIRE_EQUAL (dcpomatic::decrypt (ciphertext, key, iv), "Can you see any fish?");
- key[5]++;
+ key
.data()
[5]++;
BOOST_REQUIRE_THROW (dcpomatic::decrypt (ciphertext, key, iv), CryptoError);
}
BOOST_REQUIRE_THROW (dcpomatic::decrypt (ciphertext, key, iv), CryptoError);
}
projects / dcpomatic.git / commitdiff