From: Carl Hetherington <cth@carlh.net>
Date: Mon, 8 Jan 2024 18:01:21 +0000 (+0100)
Subject: Check for bad DN qualifiers on signer certificates (#2716).
X-Git-Tag: v2.16.72~41
X-Git-Url: https://git.carlh.net/gitweb/?p=dcpomatic.git;a=commitdiff_plain;h=69a84c50d0e1196c3a83883173e4a301ff550364

Check for bad DN qualifiers on signer certificates (#2716).
---

diff --git a/src/lib/config.cc b/src/lib/config.cc
index 45fc61923..1bb2f3c6a 100644
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -501,6 +501,7 @@ try
 			case BAD_SIGNER_UTF8_STRINGS:
 			case BAD_SIGNER_INCONSISTENT:
 			case BAD_SIGNER_VALIDITY_TOO_LONG:
+			case BAD_SIGNER_DN_QUALIFIER:
 				_signer_chain = create_certificate_chain ();
 				break;
 			case BAD_DECRYPTION_INCONSISTENT:
@@ -1590,6 +1591,9 @@ Config::check_certificates () const
 		if ((i.not_after().year() - i.not_before().year()) > 15) {
 			bad = BAD_SIGNER_VALIDITY_TOO_LONG;
 		}
+		if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) {
+			bad = BAD_SIGNER_DN_QUALIFIER;
+		}
 	}
 
 	if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
diff --git a/src/lib/config.h b/src/lib/config.h
index 0a332bcbb..dce4aafef 100644
--- a/src/lib/config.h
+++ b/src/lib/config.h
@@ -430,6 +430,7 @@ public:
 		NAG_32_ON_64,
 		NAG_TOO_MANY_DROPPED_FRAMES,
 		NAG_BAD_SIGNER_CHAIN_VALIDITY,
+		NAG_BAD_SIGNER_DN_QUALIFIER,
 		NAG_COUNT
 	};
 
@@ -1224,6 +1225,7 @@ public:
 		BAD_SIGNER_INCONSISTENT,      ///< signer chain is somehow inconsistent
 		BAD_DECRYPTION_INCONSISTENT,  ///< KDM decryption chain is somehow inconsistent
 		BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years
+		BAD_SIGNER_DN_QUALIFIER,      ///< some signer certificate has a bad dnQualifier (DoM #2716).
 	};
 
 	static boost::signals2::signal<bool (BadReason)> Bad;
diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc
index 5bd8b8def..8faaf5bcd 100644
--- a/src/tools/dcpomatic.cc
+++ b/src/tools/dcpomatic.cc
@@ -1919,6 +1919,19 @@ private:
 			}
 			return true;
 		}
+		case Config::BAD_SIGNER_DN_QUALIFIER:
+		{
+			RecreateChainDialog dialog(
+				_frame, _("Recreate signing certificates"),
+				_("The certificate chain that DCP-o-matic uses for signing DCPs and KDMs contains a small error\n"
+				  "which will prevent DCPs from being validated correctly on some systems.  This error was caused\n"
+				  "by a bug in DCP-o-matic which has now been fixed. Do you want to re-create the certificate chain\n"
+				  "for signing DCPs and KDMs?"),
+				_("Do nothing"),
+				Config::NAG_BAD_SIGNER_DN_QUALIFIER
+				);
+			return dialog.ShowModal() == wxID_OK;
+		}
 		default:
 			DCPOMATIC_ASSERT (false);
 		}
diff --git a/test/data b/test/data
index ae6d44f2c..a4ad4c1a4 160000
--- a/test/data
+++ b/test/data
@@ -1 +1 @@
-Subproject commit ae6d44f2c605b2035fa0346798c3b536ed1a0160
+Subproject commit a4ad4c1a4880d02aabf2790e11c4e5c2c28034dc