swaroop: store whole signer/decryption chains and private keys encrypted by machine...
authorCarl Hetherington <cth@carlh.net>
Wed, 9 Jan 2019 23:45:07 +0000 (23:45 +0000)
committerCarl Hetherington <cth@carlh.net>
Wed, 9 Jan 2019 23:45:07 +0000 (23:45 +0000)
src/lib/config.cc
src/lib/config.h
src/lib/util.cc
src/lib/util.h
test/util_test.cc

index 9dd6f63..04cf6dd 100644 (file)
@@ -1,5 +1,5 @@
 /*
-    Copyright (C) 2012-2018 Carl Hetherington <cth@carlh.net>
+    Copyright (C) 2012-2019 Carl Hetherington <cth@carlh.net>
 
     This file is part of DCP-o-matic.
 
@@ -179,6 +179,8 @@ Config::set_defaults ()
        _player_watermark_period = 1;
        _player_watermark_duration = 50;
        _player_lock_file = boost::none;
+       _signer_chain_path = "signer";
+       _decryption_chain_path = "decryption";
 #endif
 
        _allowed_dcp_frame_rates.clear ();
@@ -394,6 +396,21 @@ try
        }
 
        cxml::NodePtr signer = f.optional_node_child ("Signer");
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       if (signer && signer->node_children().size() == 1) {
+               /* The content of <Signer> is a path to a file; if it's relative it's in the same
+                  directory as .config. */
+               _signer_chain_path = signer->content();
+               if (_signer_chain_path.is_relative()) {
+                       _signer_chain = read_swaroop_chain (path(_signer_chain_path.string()));
+               } else {
+                       _signer_chain = read_swaroop_chain (_signer_chain_path);
+               }
+       } else {
+               /* <Signer> is not present or has children: ignore it and remake. */
+               _signer_chain = create_certificate_chain ();
+       }
+#else
        if (signer) {
                shared_ptr<dcp::CertificateChain> c (new dcp::CertificateChain ());
                /* Read the signing certificates and private key in from the config file */
@@ -406,6 +423,7 @@ try
                /* Make a new set of signing certificates and key */
                _signer_chain = create_certificate_chain ();
        }
+#endif
 
        /* These must be done before we call BadSignerChain as that might set one
           of the nags.
@@ -432,29 +450,32 @@ try
        }
 
        cxml::NodePtr decryption = f.optional_node_child ("Decryption");
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       if (decryption && decryption->node_children().size() == 1) {
+               /* The content of <Decryption> is a path to a file; if it's relative, it's in the same
+                  directory as .config. */
+               _decryption_chain_path = decryption->content();
+               if (_decryption_chain_path.is_relative()) {
+                       _decryption_chain = read_swaroop_chain (path(_decryption_chain_path.string()));
+               } else {
+                       _decryption_chain = read_swaroop_chain (_decryption_chain_path);
+               }
+       } else {
+               /* <Decryption> is not present or has more children: ignore it and remake. */
+               _decryption_chain = create_certificate_chain ();
+       }
+#else
        if (decryption) {
                shared_ptr<dcp::CertificateChain> c (new dcp::CertificateChain ());
                BOOST_FOREACH (cxml::NodePtr i, decryption->node_children ("Certificate")) {
                        c->add (dcp::Certificate (i->content ()));
                }
-               optional<string> key = decryption->optional_string_child ("PrivateKey");
-#ifdef DCPOMATIC_VARIANT_SWAROOP
-               if (key) {
-                       c->set_key (*key);
-               } else {
-                       dcp::Data encrypted_key (path("private"));
-                       dcp::Data iv (path("iv"));
-                       c->set_key (dcpomatic::decrypt (encrypted_key, key_from_uuid(), iv));
-               }
-#else
-               DCPOMATIC_ASSERT (key);
-               c->set_key (*key);
-#endif
+               c->set_key (decryption->string_child ("PrivateKey"));
                _decryption_chain = c;
        } else {
                _decryption_chain = create_certificate_chain ();
        }
-
+#endif
        if (f.optional_node_child("DKDMGroup")) {
                /* New-style: all DKDMs in a group */
                _dkdms = dynamic_pointer_cast<DKDMGroup> (DKDMBase::read (f.node_child("DKDMGroup")));
@@ -613,19 +634,6 @@ Config::write () const
        write_cinemas ();
 }
 
-#ifdef DCPOMATIC_VARIANT_SWAROOP
-/* Make up a key from the machine UUID */
-dcp::Data
-Config::key_from_uuid () const
-{
-       dcp::Data key (dcpomatic::crypto_key_length());
-       memset (key.data().get(), 0, key.size());
-       string const magic = command_and_read ("dcpomatic2_uuid");
-       strncpy ((char *) key.data().get(), magic.c_str(), dcpomatic::crypto_key_length());
-       return key;
-}
-#endif
-
 void
 Config::write_config () const
 {
@@ -793,25 +801,36 @@ Config::write_config () const
        /* [XML] Signer Certificate chain and private key to use when signing DCPs and KDMs.  Should contain <code>&lt;Certificate&gt;</code>
           tags in order and a <code>&lt;PrivateKey&gt;</code> tag all containing PEM-encoded certificates or private keys as appropriate.
        */
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       if (_signer_chain_path.is_relative()) {
+               write_swaroop_chain (_signer_chain, path(_signer_chain_path.string()));
+       } else {
+               write_swaroop_chain (_signer_chain, _signer_chain_path);
+       }
+       root->add_child("Signer")->add_child_text(_signer_chain_path.string());
+#else
        xmlpp::Element* signer = root->add_child ("Signer");
        DCPOMATIC_ASSERT (_signer_chain);
        BOOST_FOREACH (dcp::Certificate const & i, _signer_chain->unordered()) {
                signer->add_child("Certificate")->add_child_text (i.certificate (true));
        }
        signer->add_child("PrivateKey")->add_child_text (_signer_chain->key().get ());
+#endif
 
        /* [XML] Decryption Certificate chain and private key to use when decrypting KDMs */
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       if (_decryption_chain_path.is_relative()) {
+               write_swaroop_chain (_decryption_chain, path(_decryption_chain_path.string()));
+       } else {
+               write_swaroop_chain (_decryption_chain, _decryption_chain_path);
+       }
+       root->add_child("Decryption")->add_child_text(_decryption_chain_path.string());
+#else
        xmlpp::Element* decryption = root->add_child ("Decryption");
        DCPOMATIC_ASSERT (_decryption_chain);
        BOOST_FOREACH (dcp::Certificate const & i, _decryption_chain->unordered()) {
                decryption->add_child("Certificate")->add_child_text (i.certificate (true));
        }
-#ifdef DCPOMATIC_VARIANT_SWAROOP
-       dcp::Data iv = dcpomatic::random_iv ();
-       dcp::Data encrypted_key = dcpomatic::encrypt (_decryption_chain->key().get(), key_from_uuid(), iv);
-       encrypted_key.write (path("private"));
-       iv.write (path("iv"));
-#else
        decryption->add_child("PrivateKey")->add_child_text (_decryption_chain->key().get ());
 #endif
 
index e289282..70d8f92 100644 (file)
@@ -1083,9 +1083,6 @@ private:
        boost::filesystem::path directory_or (boost::optional<boost::filesystem::path> dir, boost::filesystem::path a) const;
        void add_to_history_internal (std::vector<boost::filesystem::path>& h, boost::filesystem::path p);
        void backup ();
-#ifdef DCPOMATIC_VARIANT_SWAROOP
-       dcp::Data key_from_uuid () const;
-#endif
 
        template <class T>
        void maybe_set (T& member, T new_value, Property prop = OTHER) {
@@ -1175,10 +1172,16 @@ private:
        std::string _notification_bcc;
        std::string _notification_email;
        boost::shared_ptr<const dcp::CertificateChain> _signer_chain;
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       boost::filesystem::path _signer_chain_path;
+#endif
        /** Chain used to decrypt KDMs; the leaf of this chain is the target
         *  certificate for making KDMs given to DCP-o-matic.
         */
        boost::shared_ptr<const dcp::CertificateChain> _decryption_chain;
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+       boost::filesystem::path _decryption_chain_path;
+#endif
        /** true to check for updates on startup */
        bool _check_for_updates;
        bool _check_for_test_updates;
index 595c7e7..a1ea8f9 100644 (file)
@@ -35,6 +35,7 @@
 #include "rect.h"
 #include "digester.h"
 #include "audio_processor.h"
+#include "crypto.h"
 #include "compose.hpp"
 #include "audio_buffers.h"
 #include <dcp/locale_convert.h>
@@ -93,6 +94,7 @@ using boost::thread;
 using boost::optional;
 using boost::lexical_cast;
 using boost::bad_lexical_cast;
+using boost::scoped_array;
 using dcp::Size;
 using dcp::raw_convert;
 using dcp::locale_convert;
@@ -812,3 +814,110 @@ checked_fread (void* ptr, size_t size, FILE* stream, boost::filesystem::path pat
                }
        }
 }
+
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+
+/* Make up a key from the machine UUID */
+dcp::Data
+key_from_uuid ()
+{
+       dcp::Data key (dcpomatic::crypto_key_length());
+       memset (key.data().get(), 0, key.size());
+       string const magic = command_and_read ("dcpomatic2_uuid");
+       strncpy ((char *) key.data().get(), magic.c_str(), dcpomatic::crypto_key_length());
+       return key;
+}
+
+/* swaroop chain file format:
+ *
+ *  0 [int16_t] IV length
+ *  2 [int16_t] cert #1 length, or 0 for none
+ *  4 [int16_t] cert #2 length, or 0 for none
+ *  6 [int16_t] cert #3 length, or 0 for none
+ *  8 [int16_t] cert #4 length, or 0 for none
+ * 10 [int16_t] cert #5 length, or 0 for none
+ * 12 [int16_t] cert #6 length, or 0 for none
+ * 14 [int16_t] cert #7 length, or 0 for none
+ * 16 [int16_t] cert #8 length, or 0 for none
+ * 16 [int16_t] private key length
+ * 20 IV
+ *    cert #1
+ *    cert #2
+ *    cert #3
+ *    cert #4
+ *    cert #5
+ *    cert #6
+ *    cert #7
+ *    cert #8
+ *    private key
+ */
+
+struct __attribute__ ((packed)) Header_ {
+       int16_t iv_length;
+       int16_t cert_length[8];
+       int16_t private_key_length;
+};
+
+typedef struct Header_ Header;
+
+shared_ptr<dcp::CertificateChain>
+read_swaroop_chain (boost::filesystem::path path)
+{
+       dcp::Data data (path);
+       Header* header = (Header *) data.data().get();
+       uint8_t* p = data.data().get() + sizeof(Header);
+
+       dcp::Data iv (p, header->iv_length);
+       p += iv.size();
+
+       shared_ptr<dcp::CertificateChain> cc (new dcp::CertificateChain());
+       for (int i = 0; i < 8; ++i) {
+               if (header->cert_length[i] == 0) {
+                       break;
+               }
+               dcp::Data c(p, header->cert_length[i]);
+               p += c.size();
+               cc->add (dcp::Certificate(dcpomatic::decrypt(c, key_from_uuid(), iv)));
+       }
+
+       dcp::Data k (p, header->private_key_length);
+       cc->set_key (dcpomatic::decrypt(k, key_from_uuid(), iv));
+       return cc;
+}
+
+void
+write_swaroop_chain (shared_ptr<const dcp::CertificateChain> chain, boost::filesystem::path output)
+{
+       cout << "write " << output.string() << "\n";
+
+       scoped_array<uint8_t> buffer (new uint8_t[65536]);
+       Header* header = (Header *) buffer.get();
+       memset (header, 0, sizeof(Header));
+       uint8_t* p = buffer.get() + sizeof(Header);
+
+       dcp::Data iv = dcpomatic::random_iv ();
+       header->iv_length = iv.size ();
+       memcpy (p, iv.data().get(), iv.size());
+       p += iv.size();
+
+       int N = 0;
+       BOOST_FOREACH (dcp::Certificate i, chain->root_to_leaf()) {
+               dcp::Data e = dcpomatic::encrypt (i.certificate(true), key_from_uuid(), iv);
+               memcpy (p, e.data().get(), e.size());
+               p += e.size();
+               DCPOMATIC_ASSERT (N < 8);
+               header->cert_length[N] = e.size ();
+               ++N;
+       }
+
+       dcp::Data k = dcpomatic::encrypt (chain->key().get(), key_from_uuid(), iv);
+       memcpy (p, k.data().get(), k.size());
+       p += k.size();
+       header->private_key_length = k.size ();
+
+       FILE* f = fopen_boost (output, "wb");
+       checked_fwrite (buffer.get(), p - buffer.get(), f, output);
+       fclose (f);
+}
+
+#endif
index 94e9e37..bdf2480 100644 (file)
@@ -100,5 +100,9 @@ extern boost::shared_ptr<AudioBuffers> remap (boost::shared_ptr<const AudioBuffe
 extern Eyes increment_eyes (Eyes e);
 extern void checked_fread (void* ptr, size_t size, FILE* stream, boost::filesystem::path path);
 extern void checked_fwrite (void const * ptr, size_t size, FILE* stream, boost::filesystem::path path);
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+extern boost::shared_ptr<dcp::CertificateChain> read_swaroop_chain (boost::filesystem::path path);
+extern void write_swaroop_chain (boost::shared_ptr<const dcp::CertificateChain> chain, boost::filesystem::path output);
+#endif
 
 #endif
index 4b3e20a..ba33b42 100644 (file)
@@ -24,7 +24,9 @@
  */
 
 #include "lib/util.h"
+#include "lib/cross.h"
 #include "lib/exceptions.h"
+#include <dcp/certificate_chain.h>
 #include <boost/test/unit_test.hpp>
 
 using std::string;
@@ -89,3 +91,25 @@ BOOST_AUTO_TEST_CASE (tidy_for_filename_test)
        BOOST_CHECK_EQUAL (tidy_for_filename ("fish/chips\\"), "fish_chips_");
        BOOST_CHECK_EQUAL (tidy_for_filename ("abcdefghï"), "abcdefghï");
 }
+
+#ifdef DCPOMATIC_VARIANT_SWAROOP
+BOOST_AUTO_TEST_CASE (swaroop_chain_test)
+{
+       shared_ptr<dcp::CertificateChain> cc (
+               new dcp::CertificateChain (
+                       openssl_path(),
+                       "dcpomatic.com",
+                       "dcpomatic.com",
+                       ".dcpomatic.smpte-430-2.ROOT",
+                       ".dcpomatic.smpte-430-2.INTERMEDIATE",
+                       "CS.dcpomatic.smpte-430-2.LEAF"
+                       )
+               );
+
+       write_swaroop_chain (cc, "build/test/swaroop_chain");
+       shared_ptr<dcp::CertificateChain> back = read_swaroop_chain ("build/test/swaroop_chain");
+
+       BOOST_CHECK (cc->root_to_leaf() == back->root_to_leaf());
+}
+
+#endif