X-Git-Url: https://main.carlh.net/gitweb/?a=blobdiff_plain;f=src%2Fencrypted_kdm.cc;h=071bf87090596f6b2dad69899423a58183683271;hb=75a4d1603551f5405b89f199e7f02b82b2554746;hp=4c24953f1271332673be33588d0791e374570701;hpb=e4d5298e7a179d4103581cba05cbc516f94acf60;p=libdcp.git

diff --git a/src/encrypted_kdm.cc b/src/encrypted_kdm.cc
index 4c24953f..071bf870 100644
--- a/src/encrypted_kdm.cc
+++ b/src/encrypted_kdm.cc
@@ -1,5 +1,5 @@
 /*
-    Copyright (C) 2013-2016 Carl Hetherington <cth@carlh.net>
+    Copyright (C) 2013-2018 Carl Hetherington <cth@carlh.net>
 
     This file is part of libdcp.
 
@@ -34,12 +34,16 @@
 #include "encrypted_kdm.h"
 #include "util.h"
 #include "certificate_chain.h"
+#include "exceptions.h"
+#include "compose.hpp"
 #include <libcxml/cxml.h>
 #include <libxml++/document.h>
 #include <libxml++/nodes/element.h>
 #include <libxml/parser.h>
+#include <boost/algorithm/string.hpp>
 #include <boost/date_time/posix_time/posix_time.hpp>
 #include <boost/foreach.hpp>
+#include <boost/format.hpp>
 
 using std::list;
 using std::vector;
@@ -48,6 +52,7 @@ using std::map;
 using std::pair;
 using boost::shared_ptr;
 using boost::optional;
+using boost::starts_with;
 using namespace dcp;
 
 namespace dcp {
@@ -258,6 +263,8 @@ public:
 		/* XXX: this feels like a bit of a hack */
 		if (key_type == "MDEK") {
 			type->set_attribute ("scope", "http://www.dolby.com/cp850/2012/KDM#kdm-key-type");
+		} else {
+			type->set_attribute ("scope", "http://www.smpte-ra.org/430-1/2006/KDM#kdm-key-type");
 		}
 	}
 
@@ -378,7 +385,25 @@ public:
 		, authorized_device_info (node->node_child ("AuthorizedDeviceInfo"))
 		, key_id_list (node->node_child ("KeyIdList"))
 	{
-
+		disable_forensic_marking_picture = false;
+		disable_forensic_marking_audio = optional<int>();
+		if (node->optional_node_child("ForensicMarkFlagList")) {
+			BOOST_FOREACH (cxml::ConstNodePtr i, node->node_child("ForensicMarkFlagList")->node_children("ForensicMarkFlag")) {
+				if (i->content() == picture_disable) {
+					disable_forensic_marking_picture = true;
+				} else if (starts_with(i->content(), audio_disable)) {
+					disable_forensic_marking_audio = 0;
+					string const above = audio_disable + "-above-channel-";
+					if (starts_with(i->content(), above)) {
+						string above_number = i->content().substr(above.length());
+						if (above_number == "") {
+							throw KDMFormatError("Badly-formatted ForensicMarkFlag");
+						}
+						disable_forensic_marking_audio = atoi(above_number.c_str());
+					}
+				}
+			}
+		}
 	}
 
 	void as_xml (xmlpp::Element* node) const
@@ -393,12 +418,24 @@ public:
 		}
 		node->add_child("ContentKeysNotValidBefore")->add_child_text (not_valid_before.as_string ());
 		node->add_child("ContentKeysNotValidAfter")->add_child_text (not_valid_after.as_string ());
-		authorized_device_info.as_xml (node->add_child ("AuthorizedDeviceInfo"));
+		if (authorized_device_info) {
+			authorized_device_info->as_xml (node->add_child ("AuthorizedDeviceInfo"));
+		}
 		key_id_list.as_xml (node->add_child ("KeyIdList"));
 
-		xmlpp::Element* forensic_mark_flag_list = node->add_child ("ForensicMarkFlagList");
-		forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable");
-		forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text ("http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable");
+		if (disable_forensic_marking_picture || disable_forensic_marking_audio) {
+			xmlpp::Element* forensic_mark_flag_list = node->add_child ("ForensicMarkFlagList");
+			if (disable_forensic_marking_picture) {
+				forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text(picture_disable);
+			}
+			if (disable_forensic_marking_audio) {
+				string mrkflg = audio_disable;
+				if (*disable_forensic_marking_audio > 0) {
+					mrkflg += String::compose ("-above-channel-%1", *disable_forensic_marking_audio);
+				}
+				forensic_mark_flag_list->add_child("ForensicMarkFlag")->add_child_text (mrkflg);
+			}
+		}
 	}
 
 	Recipient recipient;
@@ -407,10 +444,19 @@ public:
 	string content_title_text;
 	LocalTime not_valid_before;
 	LocalTime not_valid_after;
-	AuthorizedDeviceInfo authorized_device_info;
+	bool disable_forensic_marking_picture;
+	optional<int> disable_forensic_marking_audio;
+	boost::optional<AuthorizedDeviceInfo> authorized_device_info;
 	KeyIdList key_id_list;
+
+private:
+	static const string picture_disable;
+	static const string audio_disable;
 };
 
+const string KDMRequiredExtensions::picture_disable = "http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-picture-disable";
+const string KDMRequiredExtensions::audio_disable = "http://www.smpte-ra.org/430-1/2006/KDM#mrkflg-audio-disable";
+
 class RequiredExtensions
 {
 public:
@@ -508,6 +554,7 @@ public:
 			xmlAddID (0, document->cobj(), (const xmlChar *) i->first.c_str(), i->second->cobj ());
 		}
 
+		indent (document->get_root_node(), 0);
 		return document;
 	}
 
@@ -521,22 +568,28 @@ public:
 
 EncryptedKDM::EncryptedKDM (string s)
 {
-	shared_ptr<cxml::Document> doc (new cxml::Document ("DCinemaSecurityMessage"));
-	doc->read_string (s);
-	_data = new data::EncryptedKDMData (doc);
+	try {
+		shared_ptr<cxml::Document> doc (new cxml::Document ("DCinemaSecurityMessage"));
+		doc->read_string (s);
+		_data = new data::EncryptedKDMData (doc);
+	} catch (xmlpp::parse_error& e) {
+		throw KDMFormatError (e.what ());
+	}
 }
 
+/** @param trusted_devices Trusted device thumbprints */
 EncryptedKDM::EncryptedKDM (
 	shared_ptr<const CertificateChain> signer,
 	Certificate recipient,
-	vector<Certificate> trusted_devices,
-	string device_list_description,
+	vector<string> trusted_devices,
 	string cpl_id,
 	string content_title_text,
 	optional<string> annotation_text,
 	LocalTime not_valid_before,
 	LocalTime not_valid_after,
 	Formulation formulation,
+	bool disable_forensic_marking_picture,
+	optional<int> disable_forensic_marking_audio,
 	list<pair<string, string> > key_ids,
 	list<string> keys
 	)
@@ -544,6 +597,15 @@ EncryptedKDM::EncryptedKDM (
 {
 	/* Fill our XML-ish description in with the juicy bits that the caller has given */
 
+	/* Our ideas, based on http://isdcf.com/papers/ISDCF-Doc5-kdm-certs.pdf, about the KDM types are:
+	 *
+	 * Type                               Trusted-device thumb  ContentAuthenticator
+	 * MODIFIED_TRANSITIONAL_1            assume-trust          No
+	 * MULTIPLE_MODIFIED_TRANSITIONAL_1   as specified          No
+	 * DCI_ANY                            assume-trust          Yes
+	 * DCI_SPECIFIC                       as specified          Yes
+	 */
+
 	data::AuthenticatedPublic& aup = _data->authenticated_public;
 	aup.signer.x509_issuer_name = signer->leaf().issuer ();
 	aup.signer.x509_serial_number = signer->leaf().serial ();
@@ -553,7 +615,6 @@ EncryptedKDM::EncryptedKDM (
 	kre.recipient.x509_issuer_serial.x509_issuer_name = recipient.issuer ();
 	kre.recipient.x509_issuer_serial.x509_serial_number = recipient.serial ();
 	kre.recipient.x509_subject_name = recipient.subject ();
-	kre.authorized_device_info.device_list_description = device_list_description;
 	kre.composition_playlist_id = cpl_id;
 	if (formulation == DCI_ANY || formulation == DCI_SPECIFIC) {
 		kre.content_authenticator = signer->leaf().thumbprint ();
@@ -561,25 +622,41 @@ EncryptedKDM::EncryptedKDM (
 	kre.content_title_text = content_title_text;
 	kre.not_valid_before = not_valid_before;
 	kre.not_valid_after = not_valid_after;
-	kre.authorized_device_info.device_list_identifier = make_uuid ();
-	string n = recipient.subject_common_name ();
-	if (n.find (".") != string::npos) {
-		n = n.substr (n.find (".") + 1);
-	}
-	kre.authorized_device_info.device_list_description = n;
-
-	if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
-		/* Use the "assume trust" thumbprint */
-		kre.authorized_device_info.certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
-	} else if (formulation == DCI_SPECIFIC) {
-		/* As I read the standard we should use the recipient
-		   /and/ other trusted device thumbprints here.  MJD
-		   reports that this doesn't work with his setup;
-		   a working KDM does not include the recipient's
-		   thumbprint (recipient.thumbprint()).
-		*/
-		BOOST_FOREACH (Certificate const & i, trusted_devices) {
-			kre.authorized_device_info.certificate_thumbprints.push_back (i.thumbprint ());
+	kre.disable_forensic_marking_picture = disable_forensic_marking_picture;
+	kre.disable_forensic_marking_audio = disable_forensic_marking_audio;
+
+	if (formulation != MODIFIED_TRANSITIONAL_TEST) {
+		kre.authorized_device_info = data::AuthorizedDeviceInfo ();
+		kre.authorized_device_info->device_list_identifier = make_uuid ();
+		string n = recipient.subject_common_name ();
+		if (n.find (".") != string::npos) {
+			n = n.substr (n.find (".") + 1);
+		}
+		kre.authorized_device_info->device_list_description = n;
+
+		if (formulation == MODIFIED_TRANSITIONAL_1 || formulation == DCI_ANY) {
+			/* Use the "assume trust" thumbprint */
+			kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+		} else if (formulation == MULTIPLE_MODIFIED_TRANSITIONAL_1 || formulation == DCI_SPECIFIC) {
+			if (trusted_devices.empty ()) {
+				/* Fall back on the "assume trust" thumbprint so we
+				   can generate "modified-transitional-1" KDMs
+				   together with "multiple-modified-transitional-1"
+				   KDMs in one go, and similarly for "dci-any" etc.
+				*/
+				kre.authorized_device_info->certificate_thumbprints.push_back ("2jmj7l5rSw0yVb/vlWAYkK/YBwk=");
+			} else {
+				/* As I read the standard we should use the
+				   recipient /and/ other trusted device thumbprints
+				   here. MJD reports that this doesn't work with
+				   his setup; a working KDM does not include the
+				   recipient's thumbprint (recipient.thumbprint()).
+				   Waimea uses only the trusted devices here, too.
+				*/
+				BOOST_FOREACH (string i, trusted_devices) {
+					kre.authorized_device_info->certificate_thumbprints.push_back (i);
+				}
+			}
 		}
 	}
 
@@ -594,7 +671,7 @@ EncryptedKDM::EncryptedKDM (
 	xmlpp::Node::NodeList children = doc->get_root_node()->get_children ();
 	for (xmlpp::Node::NodeList::const_iterator i = children.begin(); i != children.end(); ++i) {
 		if ((*i)->get_name() == "Signature") {
-			signer->add_signature_value (*i, "ds");
+			signer->add_signature_value (dynamic_cast<xmlpp::Element*>(*i), "ds", false);
 		}
 	}
 
@@ -647,6 +724,12 @@ EncryptedKDM::keys () const
 	return _data->authenticated_private.encrypted_key;
 }
 
+string
+EncryptedKDM::id () const
+{
+	return _data->authenticated_public.message_id;
+}
+
 optional<string>
 EncryptedKDM::annotation_text () const
 {
@@ -683,6 +766,23 @@ EncryptedKDM::not_valid_after () const
 	return _data->authenticated_public.required_extensions.kdm_required_extensions.not_valid_after;
 }
 
+string
+EncryptedKDM::recipient_x509_subject_name () const
+{
+	return _data->authenticated_public.required_extensions.kdm_required_extensions.recipient.x509_subject_name;
+}
+
+CertificateChain
+EncryptedKDM::signer_certificate_chain () const
+{
+	CertificateChain chain;
+	BOOST_FOREACH (data::X509Data const & i, _data->signature.x509_data) {
+		string s = "-----BEGIN CERTIFICATE-----\n" + i.x509_certificate + "\n-----END CERTIFICATE-----";
+		chain.add (Certificate(s));
+	}
+	return chain;
+}
+
 bool
 dcp::operator== (EncryptedKDM const & a, EncryptedKDM const & b)
 {