case BAD_SIGNER_UTF8_STRINGS:
case BAD_SIGNER_INCONSISTENT:
case BAD_SIGNER_VALIDITY_TOO_LONG:
+ case BAD_SIGNER_DN_QUALIFIER:
_signer_chain = create_certificate_chain ();
break;
case BAD_DECRYPTION_INCONSISTENT:
if ((i.not_after().year() - i.not_before().year()) > 15) {
bad = BAD_SIGNER_VALIDITY_TOO_LONG;
}
+ if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) {
+ bad = BAD_SIGNER_DN_QUALIFIER;
+ }
}
if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
NAG_32_ON_64,
NAG_TOO_MANY_DROPPED_FRAMES,
NAG_BAD_SIGNER_CHAIN_VALIDITY,
+ NAG_BAD_SIGNER_DN_QUALIFIER,
NAG_COUNT
};
BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent
BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent
BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years
+ BAD_SIGNER_DN_QUALIFIER, ///< some signer certificate has a bad dnQualifier (DoM #2716).
};
static boost::signals2::signal<bool (BadReason)> Bad;
}
return true;
}
+ case Config::BAD_SIGNER_DN_QUALIFIER:
+ {
+ RecreateChainDialog dialog(
+ _frame, _("Recreate signing certificates"),
+ _("The certificate chain that DCP-o-matic uses for signing DCPs and KDMs contains a small error\n"
+ "which will prevent DCPs from being validated correctly on some systems. This error was caused\n"
+ "by a bug in DCP-o-matic which has now been fixed. Do you want to re-create the certificate chain\n"
+ "for signing DCPs and KDMs?"),
+ _("Do nothing"),
+ Config::NAG_BAD_SIGNER_DN_QUALIFIER
+ );
+ return dialog.ShowModal() == wxID_OK;
+ }
default:
DCPOMATIC_ASSERT (false);
}
-Subproject commit ae6d44f2c605b2035fa0346798c3b536ed1a0160
+Subproject commit a4ad4c1a4880d02aabf2790e11c4e5c2c28034dc