+dcp::DecryptedKDM
+DCP::decrypted_kdm () const
+{
+ try {
+ return dcp::DecryptedKDM (_dcp_content->kdm().get(), Config::instance()->decryption_chain()->key().get());
+ } catch (dcp::KDMDecryptionError& e) {
+ /* Try to flesh out the error a bit */
+ string const kdm_subject_name = _dcp_content->kdm()->recipient_x509_subject_name();
+ bool on_chain = false;
+ shared_ptr<const dcp::CertificateChain> dc = Config::instance()->decryption_chain();
+ BOOST_FOREACH (dcp::Certificate i, dc->root_to_leaf()) {
+ if (i.subject() == kdm_subject_name) {
+ on_chain = true;
+ }
+ }
+ if (!on_chain) {
+ throw KDMError (_("KDM was not made for DCP-o-matic's decryption certificate."), e.what());
+ } else if (on_chain && kdm_subject_name != dc->leaf().subject()) {
+ throw KDMError (_("KDM was made for DCP-o-matic but not for its leaf certificate."), e.what());
+ } else {
+ throw;
+ }
+ }
+}