From: Carl Hetherington Date: Sat, 12 Feb 2022 14:55:47 +0000 (+0100) Subject: Make certificate chain validity a parameter of the constructor. X-Git-Tag: v1.6.19 X-Git-Url: https://main.carlh.net/gitweb/?a=commitdiff_plain;h=4b48bfa7f069092e53bc7fcba93a99d34b18be8a;hp=575129cca8f3161881fab63bf2961d102c24c286;p=libdcp.git Make certificate chain validity a parameter of the constructor. --- diff --git a/src/certificate_chain.cc b/src/certificate_chain.cc index 92e3aca1..7ade2e8c 100644 --- a/src/certificate_chain.cc +++ b/src/certificate_chain.cc @@ -179,6 +179,7 @@ public_key_digest (boost::filesystem::path private_key, boost::filesystem::path CertificateChain::CertificateChain ( boost::filesystem::path openssl, + int validity_in_days, string organisation, string organisational_unit, string root_common_name, @@ -186,9 +187,6 @@ CertificateChain::CertificateChain ( string leaf_common_name ) { - /* Valid for 40 years */ - int const days = 365 * 40; - boost::filesystem::path directory = boost::filesystem::temp_directory_path() / boost::filesystem::unique_path (); boost::filesystem::create_directories (directory); @@ -226,7 +224,7 @@ CertificateChain::CertificateChain ( String::compose ( "%1 req -new -x509 -sha256 -config ca.cnf -days %2 -set_serial 5" " -subj \"%3\" -key ca.key -outform PEM -out ca.self-signed.pem", - quoted_openssl, days, ca_subject + quoted_openssl, validity_in_days, ca_subject ) ); } @@ -259,7 +257,7 @@ CertificateChain::CertificateChain ( command ( String::compose ( "%1 req -new -config intermediate.cnf -days %2 -subj \"%3\" -key intermediate.key -out intermediate.csr", - quoted_openssl, days - 1, inter_subject + quoted_openssl, validity_in_days - 1, inter_subject ) ); } @@ -268,7 +266,7 @@ CertificateChain::CertificateChain ( String::compose( "%1 x509 -req -sha256 -days %2 -CA ca.self-signed.pem -CAkey ca.key -set_serial 6" " -in intermediate.csr -extfile intermediate.cnf -extensions v3_ca -out intermediate.signed.pem", - quoted_openssl, days - 1 + quoted_openssl, validity_in_days - 1 ) ); @@ -300,7 +298,7 @@ CertificateChain::CertificateChain ( command ( String::compose ( "%1 req -new -config leaf.cnf -days %2 -subj \"%3\" -key leaf.key -outform PEM -out leaf.csr", - quoted_openssl, days - 2, leaf_subject + quoted_openssl, validity_in_days - 2, leaf_subject ) ); } @@ -309,7 +307,7 @@ CertificateChain::CertificateChain ( String::compose( "%1 x509 -req -sha256 -days %2 -CA intermediate.signed.pem -CAkey intermediate.key" " -set_serial 7 -in leaf.csr -extfile leaf.cnf -extensions v3_ca -out leaf.signed.pem", - quoted_openssl, days - 2 + quoted_openssl, validity_in_days - 2 ) ); diff --git a/src/certificate_chain.h b/src/certificate_chain.h index 63ef8901..81ac098a 100644 --- a/src/certificate_chain.h +++ b/src/certificate_chain.h @@ -76,6 +76,7 @@ public: */ CertificateChain ( boost::filesystem::path openssl, + int validity_in_days, std::string organisation = "example.org", std::string organisational_unit = "example.org", std::string root_common_name = ".smpte-430-2.ROOT.NOT_FOR_PRODUCTION", diff --git a/test/certificates_test.cc b/test/certificates_test.cc index 41b2357e..ef75c186 100644 --- a/test/certificates_test.cc +++ b/test/certificates_test.cc @@ -201,6 +201,7 @@ BOOST_AUTO_TEST_CASE (certificates_validation9) { dcp::CertificateChain good ( boost::filesystem::path ("openssl"), + 10 * 365, "dcpomatic.com", "dcpomatic.com", ".dcpomatic.smpte-430-2.ROOT", @@ -214,7 +215,7 @@ BOOST_AUTO_TEST_CASE (certificates_validation9) /** Check that we can create a valid chain */ BOOST_AUTO_TEST_CASE (certificates_validation10) { - dcp::CertificateChain good (boost::filesystem::path ("openssl")); + dcp::CertificateChain good (boost::filesystem::path ("openssl"), 10 * 365); BOOST_CHECK_NO_THROW (good.root_to_leaf()); } @@ -230,7 +231,7 @@ BOOST_AUTO_TEST_CASE (signer_validation) BOOST_CHECK (chain.valid ()); /* Put in an unrelated key and the signer should no longer be valid */ - dcp::CertificateChain another_chain (boost::filesystem::path ("openssl")); + dcp::CertificateChain another_chain (boost::filesystem::path ("openssl"), 10 * 365); chain.set_key (another_chain.key().get ()); BOOST_CHECK (!chain.valid ()); } @@ -238,9 +239,9 @@ BOOST_AUTO_TEST_CASE (signer_validation) /** Check reading of a certificate chain from a string */ BOOST_AUTO_TEST_CASE (certificate_chain_from_string) { - dcp::CertificateChain a (dcp::file_to_string (private_test / "chain.pem")); + dcp::CertificateChain a (dcp::file_to_string (private_test / "chain.pem"), 10 * 365); BOOST_CHECK_EQUAL (a.root_to_leaf().size(), 3); - dcp::CertificateChain b (dcp::file_to_string ("test/ref/crypt/leaf.signed.pem")); + dcp::CertificateChain b (dcp::file_to_string ("test/ref/crypt/leaf.signed.pem"), 10 * 365); BOOST_CHECK_EQUAL (b.root_to_leaf().size(), 1); } diff --git a/test/round_trip_test.cc b/test/round_trip_test.cc index 9c100124..02818283 100644 --- a/test/round_trip_test.cc +++ b/test/round_trip_test.cc @@ -49,7 +49,7 @@ using boost::scoped_array; /** Build an encrypted picture asset and a KDM for it and check that the KDM can be decrypted */ BOOST_AUTO_TEST_CASE (round_trip_test) { - shared_ptr signer (new dcp::CertificateChain (boost::filesystem::path ("openssl"))); + shared_ptr signer (new dcp::CertificateChain (boost::filesystem::path ("openssl"), 10 * 365)); boost::filesystem::path work_dir = "build/test/round_trip_test"; boost::filesystem::create_directory (work_dir);