2 Copyright (C) 2013-2016 Carl Hetherington <cth@carlh.net>
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 #include "encrypted_kdm.h"
22 #include "certificate_chain.h"
23 #include <libcxml/cxml.h>
24 #include <libxml++/document.h>
25 #include <libxml++/nodes/element.h>
26 #include <libxml/parser.h>
27 #include <boost/date_time/posix_time/posix_time.hpp>
28 #include <boost/foreach.hpp>
35 using boost::shared_ptr;
36 using boost::optional;
41 /** Namespace for classes used to hold our data; they are internal to this .cc file */
49 Signer (shared_ptr<const cxml::Node> node)
50 : x509_issuer_name (node->string_child ("X509IssuerName"))
51 , x509_serial_number (node->string_child ("X509SerialNumber"))
56 void as_xml (xmlpp::Element* node) const
58 node->add_child("X509IssuerName", "ds")->add_child_text (x509_issuer_name);
59 node->add_child("X509SerialNumber", "ds")->add_child_text (x509_serial_number);
62 string x509_issuer_name;
63 string x509_serial_number;
71 X509Data (boost::shared_ptr<const cxml::Node> node)
72 : x509_issuer_serial (Signer (node->node_child ("X509IssuerSerial")))
73 , x509_certificate (node->string_child ("X509Certificate"))
78 void as_xml (xmlpp::Element* node) const
80 x509_issuer_serial.as_xml (node->add_child ("X509IssuerSerial", "ds"));
81 node->add_child("X509Certificate", "ds")->add_child_text (x509_certificate);
84 Signer x509_issuer_serial;
85 std::string x509_certificate;
97 Reference (shared_ptr<const cxml::Node> node)
98 : uri (node->string_attribute ("URI"))
99 , digest_value (node->string_child ("DigestValue"))
104 void as_xml (xmlpp::Element* node) const
106 node->set_attribute ("URI", uri);
107 node->add_child("DigestMethod", "ds")->set_attribute ("Algorithm", "http://www.w3.org/2001/04/xmlenc#sha256");
108 node->add_child("DigestValue", "ds")->add_child_text (digest_value);
119 : authenticated_public ("#ID_AuthenticatedPublic")
120 , authenticated_private ("#ID_AuthenticatedPrivate")
123 SignedInfo (shared_ptr<const cxml::Node> node)
125 list<shared_ptr<cxml::Node> > references = node->node_children ("Reference");
126 for (list<shared_ptr<cxml::Node> >::const_iterator i = references.begin(); i != references.end(); ++i) {
127 if ((*i)->string_attribute ("URI") == "#ID_AuthenticatedPublic") {
128 authenticated_public = Reference (*i);
129 } else if ((*i)->string_attribute ("URI") == "#ID_AuthenticatedPrivate") {
130 authenticated_private = Reference (*i);
133 /* XXX: do something if we don't recognise the node */
137 void as_xml (xmlpp::Element* node) const
139 node->add_child ("CanonicalizationMethod", "ds")->set_attribute (
140 "Algorithm", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
143 node->add_child ("SignatureMethod", "ds")->set_attribute (
144 "Algorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
147 authenticated_public.as_xml (node->add_child ("Reference", "ds"));
148 authenticated_private.as_xml (node->add_child ("Reference", "ds"));
152 Reference authenticated_public;
153 Reference authenticated_private;
161 Signature (shared_ptr<const cxml::Node> node)
162 : signed_info (node->node_child ("SignedInfo"))
163 , signature_value (node->string_child ("SignatureValue"))
165 list<shared_ptr<cxml::Node> > x509_data_nodes = node->node_child("KeyInfo")->node_children ("X509Data");
166 for (list<shared_ptr<cxml::Node> >::const_iterator i = x509_data_nodes.begin(); i != x509_data_nodes.end(); ++i) {
167 x509_data.push_back (X509Data (*i));
171 void as_xml (xmlpp::Node* node) const
173 signed_info.as_xml (node->add_child ("SignedInfo", "ds"));
174 node->add_child("SignatureValue", "ds")->add_child_text (signature_value);
176 xmlpp::Element* key_info_node = node->add_child ("KeyInfo", "ds");
177 for (std::list<X509Data>::const_iterator i = x509_data.begin(); i != x509_data.end(); ++i) {
178 i->as_xml (key_info_node->add_child ("X509Data", "ds"));
182 SignedInfo signed_info;
183 string signature_value;
184 list<X509Data> x509_data;
187 class AuthenticatedPrivate
190 AuthenticatedPrivate () {}
192 AuthenticatedPrivate (shared_ptr<const cxml::Node> node)
194 list<shared_ptr<cxml::Node> > encrypted_key_nodes = node->node_children ("EncryptedKey");
195 for (list<shared_ptr<cxml::Node> >::const_iterator i = encrypted_key_nodes.begin(); i != encrypted_key_nodes.end(); ++i) {
196 encrypted_key.push_back ((*i)->node_child("CipherData")->string_child ("CipherValue"));
200 void as_xml (xmlpp::Element* node, map<string, xmlpp::Attribute *>& references) const
202 references["ID_AuthenticatedPrivate"] = node->set_attribute ("Id", "ID_AuthenticatedPrivate");
204 for (list<string>::const_iterator i = encrypted_key.begin(); i != encrypted_key.end(); ++i) {
205 xmlpp::Element* encrypted_key = node->add_child ("EncryptedKey", "enc");
206 /* XXX: hack for testing with Dolby */
207 encrypted_key->set_namespace_declaration ("http://www.w3.org/2001/04/xmlenc#", "enc");
208 xmlpp::Element* encryption_method = encrypted_key->add_child ("EncryptionMethod", "enc");
209 encryption_method->set_attribute ("Algorithm", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
210 xmlpp::Element* digest_method = encryption_method->add_child ("DigestMethod", "ds");
211 /* XXX: hack for testing with Dolby */
212 digest_method->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "ds");
213 digest_method->set_attribute ("Algorithm", "http://www.w3.org/2000/09/xmldsig#sha1");
214 xmlpp::Element* cipher_data = encrypted_key->add_child ("CipherData", "enc");
215 cipher_data->add_child("CipherValue", "enc")->add_child_text (*i);
219 list<string> encrypted_key;
227 TypedKeyId (shared_ptr<const cxml::Node> node)
228 : key_type (node->string_child ("KeyType"))
229 , key_id (remove_urn_uuid (node->string_child ("KeyId")))
234 TypedKeyId (string type, string id)
239 void as_xml (xmlpp::Element* node) const
241 xmlpp::Element* type = node->add_child("KeyType");
242 type->add_child_text (key_type);
243 node->add_child("KeyId")->add_child_text ("urn:uuid:" + key_id);
244 /* XXX: this feels like a bit of a hack */
245 if (key_type == "MDEK") {
246 type->set_attribute ("scope", "http://www.dolby.com/cp850/2012/KDM#kdm-key-type");
259 KeyIdList (shared_ptr<const cxml::Node> node)
261 list<shared_ptr<cxml::Node> > typed_key_id_nodes = node->node_children ("TypedKeyId");
262 for (list<shared_ptr<cxml::Node> >::const_iterator i = typed_key_id_nodes.begin(); i != typed_key_id_nodes.end(); ++i) {
263 typed_key_id.push_back (TypedKeyId (*i));
267 void as_xml (xmlpp::Element* node) const
269 for (list<TypedKeyId>::const_iterator i = typed_key_id.begin(); i != typed_key_id.end(); ++i) {
270 i->as_xml (node->add_child("TypedKeyId"));
274 list<TypedKeyId> typed_key_id;
277 class AuthorizedDeviceInfo
280 AuthorizedDeviceInfo () {}
282 AuthorizedDeviceInfo (shared_ptr<const cxml::Node> node)
283 : device_list_identifier (remove_urn_uuid (node->string_child ("DeviceListIdentifier")))
284 , device_list_description (node->optional_string_child ("DeviceListDescription"))
286 BOOST_FOREACH (cxml::ConstNodePtr i, node->node_child("DeviceList")->node_children("CertificateThumbprint")) {
287 certificate_thumbprints.push_back (i->content ());
291 void as_xml (xmlpp::Element* node) const
293 node->add_child ("DeviceListIdentifier")->add_child_text ("urn:uuid:" + device_list_identifier);
294 if (device_list_description) {
295 node->add_child ("DeviceListDescription")->add_child_text (device_list_description.get());
297 xmlpp::Element* device_list = node->add_child ("DeviceList");
298 BOOST_FOREACH (string i, certificate_thumbprints) {
299 device_list->add_child("CertificateThumbprint")->add_child_text (i);
303 /** DeviceListIdentifier without the urn:uuid: prefix */
304 string device_list_identifier;
305 boost::optional<string> device_list_description;
306 std::list<string> certificate_thumbprints;
309 class X509IssuerSerial
312 X509IssuerSerial () {}
314 X509IssuerSerial (shared_ptr<const cxml::Node> node)
315 : x509_issuer_name (node->string_child ("X509IssuerName"))
316 , x509_serial_number (node->string_child ("X509SerialNumber"))
321 void as_xml (xmlpp::Element* node) const
323 node->add_child("X509IssuerName", "ds")->add_child_text (x509_issuer_name);
324 node->add_child("X509SerialNumber", "ds")->add_child_text (x509_serial_number);
327 string x509_issuer_name;
328 string x509_serial_number;
336 Recipient (shared_ptr<const cxml::Node> node)
337 : x509_issuer_serial (node->node_child ("X509IssuerSerial"))
338 , x509_subject_name (node->string_child ("X509SubjectName"))
343 void as_xml (xmlpp::Element* node) const
345 x509_issuer_serial.as_xml (node->add_child ("X509IssuerSerial"));
346 node->add_child("X509SubjectName")->add_child_text (x509_subject_name);
349 X509IssuerSerial x509_issuer_serial;
350 string x509_subject_name;
353 class KDMRequiredExtensions
356 KDMRequiredExtensions () {}
358 KDMRequiredExtensions (shared_ptr<const cxml::Node> node)
359 : recipient (node->node_child ("Recipient"))
360 , composition_playlist_id (remove_urn_uuid (node->string_child ("CompositionPlaylistId")))
361 , content_title_text (node->string_child ("ContentTitleText"))
362 , not_valid_before (node->string_child ("ContentKeysNotValidBefore"))
363 , not_valid_after (node->string_child ("ContentKeysNotValidAfter"))
364 , authorized_device_info (node->node_child ("AuthorizedDeviceInfo"))
365 , key_id_list (node->node_child ("KeyIdList"))
370 void as_xml (xmlpp::Element* node) const
372 node->set_attribute ("xmlns", "http://www.smpte-ra.org/schemas/430-1/2006/KDM");
374 recipient.as_xml (node->add_child ("Recipient"));
375 node->add_child("CompositionPlaylistId")->add_child_text ("urn:uuid:" + composition_playlist_id);
376 node->add_child("ContentTitleText")->add_child_text (content_title_text);
377 if (content_authenticator) {
378 node->add_child("ContentAuthenticator")->add_child_text (content_authenticator.get ());
380 node->add_child("ContentKeysNotValidBefore")->add_child_text (not_valid_before.as_string ());
381 node->add_child("ContentKeysNotValidAfter")->add_child_text (not_valid_after.as_string ());
382 authorized_device_info.as_xml (node->add_child ("AuthorizedDeviceInfo"));
383 key_id_list.as_xml (node->add_child ("KeyIdList"));
385 xmlpp::Element* forensic_mark_flag_list = node->add_child ("ForensicMarkFlagList");
386 forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable");
387 forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable");
391 string composition_playlist_id;
392 boost::optional<string> content_authenticator;
393 string content_title_text;
394 LocalTime not_valid_before;
395 LocalTime not_valid_after;
396 AuthorizedDeviceInfo authorized_device_info;
397 KeyIdList key_id_list;
400 class RequiredExtensions
403 RequiredExtensions () {}
405 RequiredExtensions (shared_ptr<const cxml::Node> node)
406 : kdm_required_extensions (node->node_child ("KDMRequiredExtensions"))
411 void as_xml (xmlpp::Element* node) const
413 kdm_required_extensions.as_xml (node->add_child ("KDMRequiredExtensions"));
416 KDMRequiredExtensions kdm_required_extensions;
419 class AuthenticatedPublic
422 AuthenticatedPublic ()
423 : message_id (make_uuid ())
424 /* XXX: hack for Dolby to see if there must be a not-empty annotation text */
425 , annotation_text ("none")
426 , issue_date (LocalTime().as_string ())
429 AuthenticatedPublic (shared_ptr<const cxml::Node> node)
430 : message_id (remove_urn_uuid (node->string_child ("MessageId")))
431 , annotation_text (node->optional_string_child ("AnnotationText"))
432 , issue_date (node->string_child ("IssueDate"))
433 , signer (node->node_child ("Signer"))
434 , required_extensions (node->node_child ("RequiredExtensions"))
439 void as_xml (xmlpp::Element* node, map<string, xmlpp::Attribute *>& references) const
441 references["ID_AuthenticatedPublic"] = node->set_attribute ("Id", "ID_AuthenticatedPublic");
443 node->add_child("MessageId")->add_child_text ("urn:uuid:" + message_id);
444 node->add_child("MessageType")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#kdm-key-type");
445 if (annotation_text) {
446 node->add_child("AnnotationText")->add_child_text (annotation_text.get ());
448 node->add_child("IssueDate")->add_child_text (issue_date);
450 signer.as_xml (node->add_child ("Signer"));
451 required_extensions.as_xml (node->add_child ("RequiredExtensions"));
453 node->add_child ("NonCriticalExtensions");
457 optional<string> annotation_text;
460 RequiredExtensions required_extensions;
463 /** Class to describe our data. We use a class hierarchy as it's a bit nicer
464 * for XML data than a flat description.
466 class EncryptedKDMData
474 EncryptedKDMData (shared_ptr<const cxml::Node> node)
475 : authenticated_public (node->node_child ("AuthenticatedPublic"))
476 , authenticated_private (node->node_child ("AuthenticatedPrivate"))
477 , signature (node->node_child ("Signature"))
482 shared_ptr<xmlpp::Document> as_xml () const
484 shared_ptr<xmlpp::Document> document (new xmlpp::Document ());
485 xmlpp::Element* root = document->create_root_node ("DCinemaSecurityMessage", "http://www.smpte-ra.org/schemas/430-3/2006/ETM");
486 root->set_namespace_declaration ("http://www.w3.org/2000/09/xmldsig#", "ds");
487 root->set_namespace_declaration ("http://www.w3.org/2001/04/xmlenc#", "enc");
488 map<string, xmlpp::Attribute *> references;
489 authenticated_public.as_xml (root->add_child ("AuthenticatedPublic"), references);
490 authenticated_private.as_xml (root->add_child ("AuthenticatedPrivate"), references);
491 signature.as_xml (root->add_child ("Signature", "ds"));
493 for (map<string, xmlpp::Attribute*>::const_iterator i = references.begin(); i != references.end(); ++i) {
494 xmlAddID (0, document->cobj(), (const xmlChar *) i->first.c_str(), i->second->cobj ());
500 AuthenticatedPublic authenticated_public;
501 AuthenticatedPrivate authenticated_private;
508 EncryptedKDM::EncryptedKDM (string s)
510 shared_ptr<cxml::Document> doc (new cxml::Document ("DCinemaSecurityMessage"));
511 doc->read_string (s);
512 _data = new data::EncryptedKDMData (doc);
515 EncryptedKDM::EncryptedKDM (
516 shared_ptr<const CertificateChain> signer,
517 Certificate recipient,
518 vector<Certificate> trusted_devices,
519 string device_list_description,
521 string content_title_text,
522 optional<string> annotation_text,
523 LocalTime not_valid_before,
524 LocalTime not_valid_after,
525 Formulation formulation,
526 list<pair<string, string> > key_ids,
529 : _data (new data::EncryptedKDMData)
531 /* Fill our XML-ish description in with the juicy bits that the caller has given */
533 data::AuthenticatedPublic& aup = _data->authenticated_public;
534 aup.signer.x509_issuer_name = signer->leaf().issuer ();
535 aup.signer.x509_serial_number = signer->leaf().serial ();
536 aup.annotation_text = annotation_text;
538 data::KDMRequiredExtensions& kre = _data->authenticated_public.required_extensions.kdm_required_extensions;
539 kre.recipient.x509_issuer_serial.x509_issuer_name = recipient.issuer ();
540 kre.recipient.x509_issuer_serial.x509_serial_number = recipient.serial ();
541 kre.recipient.x509_subject_name = recipient.subject ();
542 kre.authorized_device_info.device_list_description = device_list_description;
543 kre.composition_playlist_id = cpl_id;
544 if (formulation == DCI_ANY || formulation == DCI_SPECIFIC) {
545 kre.content_authenticator = signer->leaf().thumbprint ();
547 kre.content_title_text = content_title_text;
548 kre.not_valid_before = not_valid_before;
549 kre.not_valid_after = not_valid_after;
550 kre.authorized_device_info.device_list_identifier = make_uuid ();
551 string n = recipient.subject_common_name ();
552 if (n.find (".") != string::npos) {
553 n = n.substr (n.find (".") + 1);
555 kre.authorized_device_info.device_list_description = n;
557 if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
558 /* Use the "assume trust" thumbprint */
559 kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
560 } else if (formulation == DCI_SPECIFIC) {
561 /* As I read the standard we should use the recipient
562 /and/ other trusted device thumbprints here. MJD
563 reports that this doesn't work with his setup;
564 a working KDM does not include the recipient's
565 thumbprint (recipient.thumbprint()).
567 BOOST_FOREACH (Certificate const & i, trusted_devices) {
568 kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
572 for (list<pair<string, string> >::const_iterator i = key_ids.begin(); i != key_ids.end(); ++i) {
573 kre.key_id_list.typed_key_id.push_back (data::TypedKeyId (i->first, i->second));
576 _data->authenticated_private.encrypted_key = keys;
578 /* Read the XML so far and sign it */
579 shared_ptr<xmlpp::Document> doc = _data->as_xml ();
580 xmlpp::Node::NodeList children = doc->get_root_node()->get_children ();
581 for (xmlpp::Node::NodeList::const_iterator i = children.begin(); i != children.end(); ++i) {
582 if ((*i)->get_name() == "Signature") {
583 signer->add_signature_value (*i, "ds");
587 /* Read the bits that add_signature_value did back into our variables */
588 shared_ptr<cxml::Node> signed_doc (new cxml::Node (doc->get_root_node ()));
589 _data->signature = data::Signature (signed_doc->node_child ("Signature"));
592 EncryptedKDM::EncryptedKDM (EncryptedKDM const & other)
593 : _data (new data::EncryptedKDMData (*other._data))
599 EncryptedKDM::operator= (EncryptedKDM const & other)
601 if (this == &other) {
606 _data = new data::EncryptedKDMData (*other._data);
610 EncryptedKDM::~EncryptedKDM ()
616 EncryptedKDM::as_xml (boost::filesystem::path path) const
618 FILE* f = fopen_boost (path, "w");
619 string const x = as_xml ();
620 fwrite (x.c_str(), 1, x.length(), f);
625 EncryptedKDM::as_xml () const
627 return _data->as_xml()->write_to_string ("UTF-8");
631 EncryptedKDM::keys () const
633 return _data->authenticated_private.encrypted_key;
637 EncryptedKDM::annotation_text () const
639 return _data->authenticated_public.annotation_text;
643 EncryptedKDM::content_title_text () const
645 return _data->authenticated_public.required_extensions.kdm_required_extensions.content_title_text;
649 EncryptedKDM::cpl_id () const
651 return _data->authenticated_public.required_extensions.kdm_required_extensions.composition_playlist_id;
655 EncryptedKDM::issue_date () const
657 return _data->authenticated_public.issue_date;
661 dcp::operator== (EncryptedKDM const & a, EncryptedKDM const & b)
663 /* Not exactly efficient... */
664 return a.as_xml() == b.as_xml();
projects / libdcp.git / blob