From 3e6b2d886961177c8d89b3f9168393d33c13bff2 Mon Sep 17 00:00:00 2001 From: Carl Hetherington Date: Sat, 12 Feb 2022 23:11:44 +0100 Subject: [PATCH] Warn if the signing certificates have a validity period > 10 years (#2174). --- src/lib/config.cc | 4 ++++ src/lib/config.h | 8 +++++--- src/tools/dcpomatic.cc | 17 +++++++++++++++++ 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/src/lib/config.cc b/src/lib/config.cc index abf0eb42b..371682966 100644 --- a/src/lib/config.cc +++ b/src/lib/config.cc @@ -456,6 +456,9 @@ try if (i.has_utf8_strings()) { bad = BAD_SIGNER_UTF8_STRINGS; } + if ((i.not_after().year() - i.not_before().year()) > 15) { + bad = BAD_SIGNER_VALIDITY_TOO_LONG; + } } if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) { @@ -472,6 +475,7 @@ try switch (*bad) { case BAD_SIGNER_UTF8_STRINGS: case BAD_SIGNER_INCONSISTENT: + case BAD_SIGNER_VALIDITY_TOO_LONG: _signer_chain = create_certificate_chain (); break; case BAD_DECRYPTION_INCONSISTENT: diff --git a/src/lib/config.h b/src/lib/config.h index 19e05608c..6e197d36d 100644 --- a/src/lib/config.h +++ b/src/lib/config.h @@ -402,6 +402,7 @@ public: NAG_DELETE_DKDM, NAG_32_ON_64, NAG_TOO_MANY_DROPPED_FRAMES, + NAG_BAD_SIGNER_CHAIN_VALIDITY, NAG_COUNT }; @@ -1059,9 +1060,10 @@ public: * true to ask Config to solve the problem (by discarding and recreating the bad thing) */ enum BadReason { - BAD_SIGNER_UTF8_STRINGS, ///< signer chain contains UTF-8 strings (not PRINTABLESTRING) - BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent - BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent + BAD_SIGNER_UTF8_STRINGS, ///< signer chain contains UTF-8 strings (not PRINTABLESTRING) + BAD_SIGNER_INCONSISTENT, ///< signer chain is somehow inconsistent + BAD_DECRYPTION_INCONSISTENT, ///< KDM decryption chain is somehow inconsistent + BAD_SIGNER_VALIDITY_TOO_LONG, ///< signer certificate validity periods are >10 years }; static boost::signals2::signal Bad; diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc index a273d008b..9990f05ad 100644 --- a/src/tools/dcpomatic.cc +++ b/src/tools/dcpomatic.cc @@ -1822,6 +1822,23 @@ private: d->Destroy (); return r == wxID_OK; } + case Config::BAD_SIGNER_VALIDITY_TOO_LONG: + { + if (config->nagged(Config::NAG_BAD_SIGNER_CHAIN_VALIDITY)) { + return false; + } + auto d = new RecreateChainDialog ( + _frame, _("Recreate signing certificates"), + _("The certificate chain that DCP-o-matic uses for signing DCPs and KDMs has a validity period\n" + "that is too long. This will cause problems playing back DCPs on some systems.\n" + "Do you want to re-create the certificate chain for signing DCPs and KDMs?"), + _("Do nothing"), + Config::NAG_BAD_SIGNER_CHAIN_VALIDITY + ); + int const r = d->ShowModal (); + d->Destroy (); + return r == wxID_OK; + } case Config::BAD_SIGNER_INCONSISTENT: { auto d = new RecreateChainDialog ( -- 2.30.2