From bb7917d2ea06e6eaa566b00a279e9b5a6a351fc9 Mon Sep 17 00:00:00 2001
From: Carl Hetherington <cth@carlh.net>
Date: Thu, 25 Aug 2016 14:42:37 +0100
Subject: [PATCH] Take the leaf of a certificate chain if one is provided for a
 screen certificate (#937).

---
 ChangeLog               | 5 +++++
 cscript                 | 2 +-
 src/wx/config_dialog.cc | 5 +++--
 src/wx/screen_dialog.cc | 5 ++++-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 42ac1ea08..b0a681955 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2016-08-25  c.hetherington  <cth@carlh.net>
+
+	* Fix silent acceptance of certificate chains where
+	single certificates are required (#937).
+
 2016-08-25  Carl Hetherington  <cth@carlh.net>
 
 	* Updated nl_NL translation from Rob van Nieuwkerk.
diff --git a/cscript b/cscript
index 137781398..43a9b0832 100644
--- a/cscript
+++ b/cscript
@@ -237,7 +237,7 @@ def dependencies(target):
         ffmpeg_options = {}
 
     return (('ffmpeg-cdist', '1d4a1a4', ffmpeg_options),
-            ('libdcp', '04def4c'),
+            ('libdcp', 'ac6df08'),
             ('libsub', '067c21c'))
 
 def configure_options(target):
diff --git a/src/wx/config_dialog.cc b/src/wx/config_dialog.cc
index ac5d90296..0369070a7 100644
--- a/src/wx/config_dialog.cc
+++ b/src/wx/config_dialog.cc
@@ -773,8 +773,9 @@ private:
 
 		if (d->ShowModal() == wxID_OK) {
 			try {
-				dcp::Certificate c (dcp::file_to_string (wx_to_std (d->GetPath ())));
-				if (c.extra_data ()) {
+				dcp::Certificate c;
+				string const extra = c.read_string (dcp::file_to_string (wx_to_std (d->GetPath ())));
+				if (!extra.empty ()) {
 					message_dialog (
 						this,
 						_("This file contains other certificates (or other data) after its first certificate. "
diff --git a/src/wx/screen_dialog.cc b/src/wx/screen_dialog.cc
index e01b98962..0ecf223e6 100644
--- a/src/wx/screen_dialog.cc
+++ b/src/wx/screen_dialog.cc
@@ -25,6 +25,7 @@
 #include "lib/compose.hpp"
 #include "lib/util.h"
 #include <dcp/exceptions.h>
+#include <dcp/certificate_chain.h>
 #include <wx/filepicker.h>
 #include <wx/validate.h>
 #include <iostream>
@@ -151,7 +152,9 @@ void
 ScreenDialog::load_recipient (boost::filesystem::path file)
 {
 	try {
-		set_recipient (dcp::Certificate (dcp::file_to_string (file)));
+		/* Load this as a chain, in case it is one, and then pick the leaf certificate */
+		dcp::CertificateChain c (dcp::file_to_string (file));
+		set_recipient (c.leaf ());
 	} catch (dcp::MiscError& e) {
 		error_dialog (this, wxString::Format (_("Could not read certificate file (%s)"), std_to_wx(e.what()).data()));
 	}
-- 
2.30.2