From 9da0bac018e0e7dcad0c1aafaa7f6be6d434da96 Mon Sep 17 00:00:00 2001 From: Carl Hetherington Date: Wed, 9 Jan 2019 23:45:07 +0000 Subject: [PATCH] swaroop: store whole signer/decryption chains and private keys encrypted by machine UUID. --- src/lib/config.cc | 87 +++++++++++++++++++++--------------- src/lib/config.h | 9 ++-- src/lib/util.cc | 109 ++++++++++++++++++++++++++++++++++++++++++++++ src/lib/util.h | 4 ++ test/util_test.cc | 24 ++++++++++ 5 files changed, 196 insertions(+), 37 deletions(-) diff --git a/src/lib/config.cc b/src/lib/config.cc index 9dd6f638e..04cf6dd9b 100644 --- a/src/lib/config.cc +++ b/src/lib/config.cc @@ -1,5 +1,5 @@ /* - Copyright (C) 2012-2018 Carl Hetherington + Copyright (C) 2012-2019 Carl Hetherington This file is part of DCP-o-matic. @@ -179,6 +179,8 @@ Config::set_defaults () _player_watermark_period = 1; _player_watermark_duration = 50; _player_lock_file = boost::none; + _signer_chain_path = "signer"; + _decryption_chain_path = "decryption"; #endif _allowed_dcp_frame_rates.clear (); @@ -394,6 +396,21 @@ try } cxml::NodePtr signer = f.optional_node_child ("Signer"); +#ifdef DCPOMATIC_VARIANT_SWAROOP + if (signer && signer->node_children().size() == 1) { + /* The content of is a path to a file; if it's relative it's in the same + directory as .config. */ + _signer_chain_path = signer->content(); + if (_signer_chain_path.is_relative()) { + _signer_chain = read_swaroop_chain (path(_signer_chain_path.string())); + } else { + _signer_chain = read_swaroop_chain (_signer_chain_path); + } + } else { + /* is not present or has children: ignore it and remake. */ + _signer_chain = create_certificate_chain (); + } +#else if (signer) { shared_ptr c (new dcp::CertificateChain ()); /* Read the signing certificates and private key in from the config file */ @@ -406,6 +423,7 @@ try /* Make a new set of signing certificates and key */ _signer_chain = create_certificate_chain (); } +#endif /* These must be done before we call BadSignerChain as that might set one of the nags. @@ -432,29 +450,32 @@ try } cxml::NodePtr decryption = f.optional_node_child ("Decryption"); +#ifdef DCPOMATIC_VARIANT_SWAROOP + if (decryption && decryption->node_children().size() == 1) { + /* The content of is a path to a file; if it's relative, it's in the same + directory as .config. */ + _decryption_chain_path = decryption->content(); + if (_decryption_chain_path.is_relative()) { + _decryption_chain = read_swaroop_chain (path(_decryption_chain_path.string())); + } else { + _decryption_chain = read_swaroop_chain (_decryption_chain_path); + } + } else { + /* is not present or has more children: ignore it and remake. */ + _decryption_chain = create_certificate_chain (); + } +#else if (decryption) { shared_ptr c (new dcp::CertificateChain ()); BOOST_FOREACH (cxml::NodePtr i, decryption->node_children ("Certificate")) { c->add (dcp::Certificate (i->content ())); } - optional key = decryption->optional_string_child ("PrivateKey"); -#ifdef DCPOMATIC_VARIANT_SWAROOP - if (key) { - c->set_key (*key); - } else { - dcp::Data encrypted_key (path("private")); - dcp::Data iv (path("iv")); - c->set_key (dcpomatic::decrypt (encrypted_key, key_from_uuid(), iv)); - } -#else - DCPOMATIC_ASSERT (key); - c->set_key (*key); -#endif + c->set_key (decryption->string_child ("PrivateKey")); _decryption_chain = c; } else { _decryption_chain = create_certificate_chain (); } - +#endif if (f.optional_node_child("DKDMGroup")) { /* New-style: all DKDMs in a group */ _dkdms = dynamic_pointer_cast (DKDMBase::read (f.node_child("DKDMGroup"))); @@ -613,19 +634,6 @@ Config::write () const write_cinemas (); } -#ifdef DCPOMATIC_VARIANT_SWAROOP -/* Make up a key from the machine UUID */ -dcp::Data -Config::key_from_uuid () const -{ - dcp::Data key (dcpomatic::crypto_key_length()); - memset (key.data().get(), 0, key.size()); - string const magic = command_and_read ("dcpomatic2_uuid"); - strncpy ((char *) key.data().get(), magic.c_str(), dcpomatic::crypto_key_length()); - return key; -} -#endif - void Config::write_config () const { @@ -793,25 +801,36 @@ Config::write_config () const /* [XML] Signer Certificate chain and private key to use when signing DCPs and KDMs. Should contain <Certificate> tags in order and a <PrivateKey> tag all containing PEM-encoded certificates or private keys as appropriate. */ +#ifdef DCPOMATIC_VARIANT_SWAROOP + if (_signer_chain_path.is_relative()) { + write_swaroop_chain (_signer_chain, path(_signer_chain_path.string())); + } else { + write_swaroop_chain (_signer_chain, _signer_chain_path); + } + root->add_child("Signer")->add_child_text(_signer_chain_path.string()); +#else xmlpp::Element* signer = root->add_child ("Signer"); DCPOMATIC_ASSERT (_signer_chain); BOOST_FOREACH (dcp::Certificate const & i, _signer_chain->unordered()) { signer->add_child("Certificate")->add_child_text (i.certificate (true)); } signer->add_child("PrivateKey")->add_child_text (_signer_chain->key().get ()); +#endif /* [XML] Decryption Certificate chain and private key to use when decrypting KDMs */ +#ifdef DCPOMATIC_VARIANT_SWAROOP + if (_decryption_chain_path.is_relative()) { + write_swaroop_chain (_decryption_chain, path(_decryption_chain_path.string())); + } else { + write_swaroop_chain (_decryption_chain, _decryption_chain_path); + } + root->add_child("Decryption")->add_child_text(_decryption_chain_path.string()); +#else xmlpp::Element* decryption = root->add_child ("Decryption"); DCPOMATIC_ASSERT (_decryption_chain); BOOST_FOREACH (dcp::Certificate const & i, _decryption_chain->unordered()) { decryption->add_child("Certificate")->add_child_text (i.certificate (true)); } -#ifdef DCPOMATIC_VARIANT_SWAROOP - dcp::Data iv = dcpomatic::random_iv (); - dcp::Data encrypted_key = dcpomatic::encrypt (_decryption_chain->key().get(), key_from_uuid(), iv); - encrypted_key.write (path("private")); - iv.write (path("iv")); -#else decryption->add_child("PrivateKey")->add_child_text (_decryption_chain->key().get ()); #endif diff --git a/src/lib/config.h b/src/lib/config.h index e28928226..70d8f9200 100644 --- a/src/lib/config.h +++ b/src/lib/config.h @@ -1083,9 +1083,6 @@ private: boost::filesystem::path directory_or (boost::optional dir, boost::filesystem::path a) const; void add_to_history_internal (std::vector& h, boost::filesystem::path p); void backup (); -#ifdef DCPOMATIC_VARIANT_SWAROOP - dcp::Data key_from_uuid () const; -#endif template void maybe_set (T& member, T new_value, Property prop = OTHER) { @@ -1175,10 +1172,16 @@ private: std::string _notification_bcc; std::string _notification_email; boost::shared_ptr _signer_chain; +#ifdef DCPOMATIC_VARIANT_SWAROOP + boost::filesystem::path _signer_chain_path; +#endif /** Chain used to decrypt KDMs; the leaf of this chain is the target * certificate for making KDMs given to DCP-o-matic. */ boost::shared_ptr _decryption_chain; +#ifdef DCPOMATIC_VARIANT_SWAROOP + boost::filesystem::path _decryption_chain_path; +#endif /** true to check for updates on startup */ bool _check_for_updates; bool _check_for_test_updates; diff --git a/src/lib/util.cc b/src/lib/util.cc index 595c7e76e..a1ea8f9f1 100644 --- a/src/lib/util.cc +++ b/src/lib/util.cc @@ -35,6 +35,7 @@ #include "rect.h" #include "digester.h" #include "audio_processor.h" +#include "crypto.h" #include "compose.hpp" #include "audio_buffers.h" #include @@ -93,6 +94,7 @@ using boost::thread; using boost::optional; using boost::lexical_cast; using boost::bad_lexical_cast; +using boost::scoped_array; using dcp::Size; using dcp::raw_convert; using dcp::locale_convert; @@ -812,3 +814,110 @@ checked_fread (void* ptr, size_t size, FILE* stream, boost::filesystem::path pat } } } + +#ifdef DCPOMATIC_VARIANT_SWAROOP + +/* Make up a key from the machine UUID */ +dcp::Data +key_from_uuid () +{ + dcp::Data key (dcpomatic::crypto_key_length()); + memset (key.data().get(), 0, key.size()); + string const magic = command_and_read ("dcpomatic2_uuid"); + strncpy ((char *) key.data().get(), magic.c_str(), dcpomatic::crypto_key_length()); + return key; +} + +/* swaroop chain file format: + * + * 0 [int16_t] IV length + * 2 [int16_t] cert #1 length, or 0 for none + * 4 [int16_t] cert #2 length, or 0 for none + * 6 [int16_t] cert #3 length, or 0 for none + * 8 [int16_t] cert #4 length, or 0 for none + * 10 [int16_t] cert #5 length, or 0 for none + * 12 [int16_t] cert #6 length, or 0 for none + * 14 [int16_t] cert #7 length, or 0 for none + * 16 [int16_t] cert #8 length, or 0 for none + * 16 [int16_t] private key length + * 20 IV + * cert #1 + * cert #2 + * cert #3 + * cert #4 + * cert #5 + * cert #6 + * cert #7 + * cert #8 + * private key + */ + +struct __attribute__ ((packed)) Header_ { + int16_t iv_length; + int16_t cert_length[8]; + int16_t private_key_length; +}; + +typedef struct Header_ Header; + +shared_ptr +read_swaroop_chain (boost::filesystem::path path) +{ + dcp::Data data (path); + Header* header = (Header *) data.data().get(); + uint8_t* p = data.data().get() + sizeof(Header); + + dcp::Data iv (p, header->iv_length); + p += iv.size(); + + shared_ptr cc (new dcp::CertificateChain()); + for (int i = 0; i < 8; ++i) { + if (header->cert_length[i] == 0) { + break; + } + dcp::Data c(p, header->cert_length[i]); + p += c.size(); + cc->add (dcp::Certificate(dcpomatic::decrypt(c, key_from_uuid(), iv))); + } + + dcp::Data k (p, header->private_key_length); + cc->set_key (dcpomatic::decrypt(k, key_from_uuid(), iv)); + return cc; +} + +void +write_swaroop_chain (shared_ptr chain, boost::filesystem::path output) +{ + cout << "write " << output.string() << "\n"; + + scoped_array buffer (new uint8_t[65536]); + Header* header = (Header *) buffer.get(); + memset (header, 0, sizeof(Header)); + uint8_t* p = buffer.get() + sizeof(Header); + + dcp::Data iv = dcpomatic::random_iv (); + header->iv_length = iv.size (); + memcpy (p, iv.data().get(), iv.size()); + p += iv.size(); + + int N = 0; + BOOST_FOREACH (dcp::Certificate i, chain->root_to_leaf()) { + dcp::Data e = dcpomatic::encrypt (i.certificate(true), key_from_uuid(), iv); + memcpy (p, e.data().get(), e.size()); + p += e.size(); + DCPOMATIC_ASSERT (N < 8); + header->cert_length[N] = e.size (); + ++N; + } + + dcp::Data k = dcpomatic::encrypt (chain->key().get(), key_from_uuid(), iv); + memcpy (p, k.data().get(), k.size()); + p += k.size(); + header->private_key_length = k.size (); + + FILE* f = fopen_boost (output, "wb"); + checked_fwrite (buffer.get(), p - buffer.get(), f, output); + fclose (f); +} + +#endif diff --git a/src/lib/util.h b/src/lib/util.h index 94e9e3761..bdf2480fc 100644 --- a/src/lib/util.h +++ b/src/lib/util.h @@ -100,5 +100,9 @@ extern boost::shared_ptr remap (boost::shared_ptr read_swaroop_chain (boost::filesystem::path path); +extern void write_swaroop_chain (boost::shared_ptr chain, boost::filesystem::path output); +#endif #endif diff --git a/test/util_test.cc b/test/util_test.cc index 4b3e20ae3..ba33b42c5 100644 --- a/test/util_test.cc +++ b/test/util_test.cc @@ -24,7 +24,9 @@ */ #include "lib/util.h" +#include "lib/cross.h" #include "lib/exceptions.h" +#include #include using std::string; @@ -89,3 +91,25 @@ BOOST_AUTO_TEST_CASE (tidy_for_filename_test) BOOST_CHECK_EQUAL (tidy_for_filename ("fish/chips\\"), "fish_chips_"); BOOST_CHECK_EQUAL (tidy_for_filename ("abcdefghï"), "abcdefghï"); } + +#ifdef DCPOMATIC_VARIANT_SWAROOP +BOOST_AUTO_TEST_CASE (swaroop_chain_test) +{ + shared_ptr cc ( + new dcp::CertificateChain ( + openssl_path(), + "dcpomatic.com", + "dcpomatic.com", + ".dcpomatic.smpte-430-2.ROOT", + ".dcpomatic.smpte-430-2.INTERMEDIATE", + "CS.dcpomatic.smpte-430-2.LEAF" + ) + ); + + write_swaroop_chain (cc, "build/test/swaroop_chain"); + shared_ptr back = read_swaroop_chain ("build/test/swaroop_chain"); + + BOOST_CHECK (cc->root_to_leaf() == back->root_to_leaf()); +} + +#endif -- 2.30.2