/*
- Copyright (C) 2013-2016 Carl Hetherington <cth@carlh.net>
+ Copyright (C) 2013-2018 Carl Hetherington <cth@carlh.net>
This file is part of libdcp.
#include "encrypted_kdm.h"
#include "util.h"
#include "certificate_chain.h"
+#include "exceptions.h"
+#include "compose.hpp"
#include <libcxml/cxml.h>
#include <libxml++/document.h>
#include <libxml++/nodes/element.h>
#include <libxml/parser.h>
+#include <boost/algorithm/string.hpp>
#include <boost/date_time/posix_time/posix_time.hpp>
#include <boost/foreach.hpp>
+#include <boost/format.hpp>
using std::list;
using std::vector;
using std::pair;
using boost::shared_ptr;
using boost::optional;
+using boost::starts_with;
using namespace dcp;
namespace dcp {
/* XXX: this feels like a bit of a hack */
if (key_type == "MDEK") {
type->set_attribute ("scope", "http://www.dolby.com/cp850/2012/KDM#kdm-key-type");
+ } else {
+ type->set_attribute ("scope", "http://www.smpte-ra.org/430-1/2006/KDM#kdm-key-type");
}
}
, authorized_device_info (node->node_child ("AuthorizedDeviceInfo"))
, key_id_list (node->node_child ("KeyIdList"))
{
-
+ disable_forensic_marking_picture = false;
+ disable_forensic_marking_audio = optional<int>();
+ if (node->optional_node_child("ForensicMarkFlagList")) {
+ BOOST_FOREACH (cxml::ConstNodePtr i, node->node_child("ForensicMarkFlagList")->node_children("ForensicMarkFlag")) {
+ if (i->content() == picture_disable) {
+ disable_forensic_marking_picture = true;
+ } else if (starts_with(i->content(), audio_disable)) {
+ disable_forensic_marking_audio = 0;
+ string const above = audio_disable + "-above-channel-";
+ if (starts_with(i->content(), above)) {
+ string above_number = i->content().substr(above.length());
+ if (above_number == "") {
+ throw KDMFormatError("Badly-formatted ForensicMarkFlag");
+ }
+ disable_forensic_marking_audio = atoi(above_number.c_str());
+ }
+ }
+ }
+ }
}
void as_xml (xmlpp::Element* node) const
}
node->add_child("ContentKeysNotValidBefore")->add_child_text (not_valid_before.as_string ());
node->add_child("ContentKeysNotValidAfter")->add_child_text (not_valid_after.as_string ());
- authorized_device_info.as_xml (node->add_child ("AuthorizedDeviceInfo"));
+ if (authorized_device_info) {
+ authorized_device_info->as_xml (node->add_child ("AuthorizedDeviceInfo"));
+ }
key_id_list.as_xml (node->add_child ("KeyIdList"));
- xmlpp::Element* forensic_mark_flag_list = node->add_child ("ForensicMarkFlagList");
- forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable");
- forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable");
+ if (disable_forensic_marking_picture || disable_forensic_marking_audio) {
+ xmlpp::Element* forensic_mark_flag_list = node->add_child ("ForensicMarkFlagList");
+ if (disable_forensic_marking_picture) {
+ forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text(picture_disable);
+ }
+ if (disable_forensic_marking_audio) {
+ string mrkflg = audio_disable;
+ if (*disable_forensic_marking_audio > 0) {
+ mrkflg += String::compose ("-above-channel-%1", *disable_forensic_marking_audio);
+ }
+ forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text (mrkflg);
+ }
+ }
}
Recipient recipient;
string content_title_text;
LocalTime not_valid_before;
LocalTime not_valid_after;
- AuthorizedDeviceInfo authorized_device_info;
+ bool disable_forensic_marking_picture;
+ optional<int> disable_forensic_marking_audio;
+ boost::optional<AuthorizedDeviceInfo> authorized_device_info;
KeyIdList key_id_list;
+
+private:
+ static const string picture_disable;
+ static const string audio_disable;
};
+const string KDMRequiredExtensions::picture_disable = "http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable";
+const string KDMRequiredExtensions::audio_disable = "http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable";
+
class RequiredExtensions
{
public:
xmlAddID (0, document->cobj(), (const xmlChar *) i->first.c_str(), i->second->cobj ());
}
+ indent (document->get_root_node(), 0);
return document;
}
EncryptedKDM::EncryptedKDM (string s)
{
- shared_ptr<cxml::Document> doc (new cxml::Document ("DCinemaSecurityMessage"));
- doc->read_string (s);
- _data = new data::EncryptedKDMData (doc);
+ try {
+ shared_ptr<cxml::Document> doc (new cxml::Document ("DCinemaSecurityMessage"));
+ doc->read_string (s);
+ _data = new data::EncryptedKDMData (doc);
+ } catch (xmlpp::parse_error& e) {
+ throw KDMFormatError (e.what ());
+ }
}
+/** @param trusted_devices Trusted device thumbprints */
EncryptedKDM::EncryptedKDM (
shared_ptr<const CertificateChain> signer,
Certificate recipient,
- vector<Certificate> trusted_devices,
+ vector<string> trusted_devices,
string cpl_id,
string content_title_text,
optional<string> annotation_text,
LocalTime not_valid_before,
LocalTime not_valid_after,
Formulation formulation,
+ bool disable_forensic_marking_picture,
+ optional<int> disable_forensic_marking_audio,
list<pair<string, string> > key_ids,
list<string> keys
)
{
/* Fill our XML-ish description in with the juicy bits that the caller has given */
+ /* Our ideas, based on http://isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf, about the KDM types are:
+ *
+ * Type Trusted-device thumb ContentAuthenticator
+ * MODIFIED_TRANSITIONAL_1 assume-trust No
+ * MULTIPLE_MODIFIED_TRANSITIONAL_1 as specified No
+ * DCI_ANY assume-trust Yes
+ * DCI_SPECIFIC as specified Yes
+ */
+
data::AuthenticatedPublic& aup = _data->authenticated_public;
aup.signer.x509_issuer_name = signer->leaf().issuer ();
aup.signer.x509_serial_number = signer->leaf().serial ();
kre.content_title_text = content_title_text;
kre.not_valid_before = not_valid_before;
kre.not_valid_after = not_valid_after;
- kre.authorized_device_info.device_list_identifier = make_uuid ();
- string n = recipient.subject_common_name ();
- if (n.find (".") != string::npos) {
- n = n.substr (n.find (".") + 1);
- }
- kre.authorized_device_info.device_list_description = n;
-
- if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
- /* Use the "assume trust" thumbprint */
- kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
- } else if (formulation == DCI_SPECIFIC) {
- /* As I read the standard we should use the recipient
- /and/ other trusted device thumbprints here. MJD
- reports that this doesn't work with his setup;
- a working KDM does not include the recipient's
- thumbprint (recipient.thumbprint()).
- Waimea uses only the trusted devices here, too.
- */
- BOOST_FOREACH (Certificate const & i, trusted_devices) {
- kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
+ kre.disable_forensic_marking_picture = disable_forensic_marking_picture;
+ kre.disable_forensic_marking_audio = disable_forensic_marking_audio;
+
+ if (formulation != MODIFIED_TRANSITIONAL_TEST) {
+ kre.authorized_device_info = data::AuthorizedDeviceInfo ();
+ kre.authorized_device_info->device_list_identifier = make_uuid ();
+ string n = recipient.subject_common_name ();
+ if (n.find (".") != string::npos) {
+ n = n.substr (n.find (".") + 1);
+ }
+ kre.authorized_device_info->device_list_description = n;
+
+ if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
+ /* Use the "assume trust" thumbprint */
+ kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+ } else if (formulation == MULTIPLE_MODIFIED_TRANSITIONAL_1 || formulation == DCI_SPECIFIC) {
+ if (trusted_devices.empty ()) {
+ /* Fall back on the "assume trust" thumbprint so we
+ can generate "modified-transitional-1" KDMs
+ together with "multiple-modified-transitional-1"
+ KDMs in one go, and similarly for "dci-any" etc.
+ */
+ kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+ } else {
+ /* As I read the standard we should use the
+ recipient /and/ other trusted device thumbprints
+ here. MJD reports that this doesn't work with
+ his setup; a working KDM does not include the
+ recipient's thumbprint (recipient.thumbprint()).
+ Waimea uses only the trusted devices here, too.
+ */
+ BOOST_FOREACH (string i, trusted_devices) {
+ kre.authorized_device_info->certificate_thumbprints.push_back (i);
+ }
+ }
}
}
xmlpp::Node::NodeList children = doc->get_root_node()->get_children ();
for (xmlpp::Node::NodeList::const_iterator i = children.begin(); i != children.end(); ++i) {
if ((*i)->get_name() == "Signature") {
- signer->add_signature_value (*i, "ds");
+ signer->add_signature_value (dynamic_cast<xmlpp::Element*>(*i), "ds", false);
}
}
return _data->authenticated_private.encrypted_key;
}
+string
+EncryptedKDM::id () const
+{
+ return _data->authenticated_public.message_id;
+}
+
optional<string>
EncryptedKDM::annotation_text () const
{
return _data->authenticated_public.required_extensions.kdm_required_extensions.not_valid_after;
}
+string
+EncryptedKDM::recipient_x509_subject_name () const
+{
+ return _data->authenticated_public.required_extensions.kdm_required_extensions.recipient.x509_subject_name;
+}
+
bool
dcp::operator== (EncryptedKDM const & a, EncryptedKDM const & b)
{