Check for bad DN qualifiers on signer certificates (#2716).

[dcpomatic.git] / src / lib / config.cc

diff --git a/src/lib/config.cc b/src/lib/config.cc
index 45fc6192387020c1273de3ac28a3f3a65ee85a47..1bb2f3c6a53e45fcd74b81f80b45883bb15f8eef 100644 (file)
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -501,6 +501,7 @@ try
                        case BAD_SIGNER_UTF8_STRINGS:
                        case BAD_SIGNER_INCONSISTENT:
                        case BAD_SIGNER_VALIDITY_TOO_LONG:
+                       case BAD_SIGNER_DN_QUALIFIER:
                                _signer_chain = create_certificate_chain ();
                                break;
                        case BAD_DECRYPTION_INCONSISTENT:
@@ -1590,6 +1591,9 @@ Config::check_certificates () const
                if ((i.not_after().year() - i.not_before().year()) > 15) {
                        bad = BAD_SIGNER_VALIDITY_TOO_LONG;
                }
+               if (dcp::escape_digest(i.subject_dn_qualifier()) != dcp::public_key_digest(i.public_key())) {
+                       bad = BAD_SIGNER_DN_QUALIFIER;
+               }
        }
 
        if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {