22 Aug
2018
22 Aug
'18
12:42 p.m.
Hi all,
Sorry I dropped the ball with this... too many emails and too little time.
I'm still keen to get to the bottom of it!
1) DoM self-signed certificate chain is created with a
validity time
stamp in the future. This could happen because either the system clock
on the machine which DoM runs on, or the media block secure clock is
out of sync. I don't know if there is anything we really can do about
this, apart from telling people that it is important to have accurate
clocks. Especially Dolby Cat745:s are notorious for drifting (usually
into the future though). The Cat745 clock in this particular case has
been verified as set accurately. Unfortunately I have so far been
unable to verify if system time on the system which DoM was run to
generate the content was set correctly.
The chain should only be created when DCP-o-matic is first run on a
machine, so unless the clock was way out I think this should only happen
if a DCP is made soon enough after DCP-o-matic's initial install.
Maybe it's possible to set the validity period of DoM's certificates to
start before "now" as a partial workaround?
2) uuid:s for DoM:s KDM:s are reused. Why I suspect
that maybe DoM
incorrectly re-uses KDM uuid:s is because the Cat745 log below
referencing an ID from the KDM XML issued with the same id after this
log entry
I don't think I follow this, sorry. The log is validating 4576cbc1...
where is the re-use?
Thanks for getting in touch!
All the best,
Carl
From the Cat745 log (the clock is accurate and set
to UTC):
Jun 9 06:39:34 (none) daemon.info decoder: *KDM ***CHECK*** started*
Jun 9 06:39:34 (none) daemon.info decoder: Parsing KDM XML
Jun 9 06:39:34 (none) daemon.info decoder: KDM XML parse statistics
[w:0] - [e:0] - [f:0]
Jun 9 06:39:34 (none) daemon.info decoder: De-serializing KDM
Jun 9 06:39:34 (none) daemon.info decoder: Validating KDM id [
urn:uuid:4576cbc1-62ef-4d99-967b-5b79be35344d ] and CPL id
[urn:uuid:74ba48d5-eead-4326-8450-586eb352dacb ]
Jun 9 06:39:34 (none) daemon.info decoder: Validating KDM Certificate Chain
Jun 9 06:39:34 (none) daemon.err decoder: Certificate verification
failure: certificate is not yet valid sn:
/O=dcpomatic.com/OU=dcpomatic.com/CN=.dcpomatic.smpte-430-2.ROOT/dnQualifier=29lUqc7kxOCh6TkpwD9eOM9JBsg=
depth: 2
Jun 9 06:39:34 (none) daemon.info decoder: Destroying KDM [
urn:uuid:4576cbc1-62ef-4d99-967b-5b79be35344d ]
Jun 9 06:39:34 (none) daemon.info decoder: KDM validation failed: [
X509 certificate verification failed ] #CertFormatError
Jun 9 06:39:34 (none) daemon.info decoder: DEBUG: Check KDM completed
[#CertFormatError]
Excerpt from KDM 4576cbc1-62ef-4d99-967b-5b79be35344d XML:
<IssueDate>2018-06-09T19:31:57+02:00</IssueDate>
<Signer>
<ds:X509IssuerName>dnQualifier=Q0ZlUge6zK2OCaGcPnyDlP2Uo28=,CN=.dcpomatic.smpte-430-2.INTERMEDIATE,OU=dcpomatic.com,O=dcpomatic.com</ds:X509IssuerName>
<ds:X509SerialNumber>7</ds:X509SerialNumber>
</Signer>
<RequiredExtensions>
<KDMRequiredExtensions
xmlns="http://www.smpte-ra.org/schemas/430-1/2006/KDM">
<Recipient>
<X509IssuerSerial>
<ds:X509IssuerName>dnQualifier=xXoRSRkNkwROURqMrh3PRRPASfI=,CN=.DolbyDC-MFGCA-ARX-4,O=DC256.Cinea.Com,OU=DolbyMediaBlock</ds:X509IssuerName>
<ds:X509SerialNumber>584</ds:X509SerialNumber>
</X509IssuerSerial>
(...)
</Recipient>
(...)
<ContentKeysNotValidBefore>2018-06-09T14:11:00+02:00</ContentKeysNotValidBefore>
<ContentKeysNotValidAfter>2018-12-16T19:13:00+02:00</ContentKeysNotValidAfter>
Excerpt from "openssl x509 -text" fort cert #7 from above:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = dcpomatic.com, OU = dcpomatic.com, CN =
.dcpomatic.smpte-430-2.INTERMEDIATE, dnQualifier =
Q0ZlUge6zK2OCaGcPnyDlP2Uo28=
Validity
Not Before: Jun 9 14:47:26 2018 GMT
Not After : Jun 4 14:47:26 2028 GMT
Subject: O = dcpomatic.com, OU = dcpomatic.com, CN =
CS.dcpomatic.smpte-430-2.LEAF, dnQualifier =
"Z8+acwErJf+bgd/b+4fPD1Mxpac="
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Best,
Mattias
On Mon, Jun 11, 2018 at 11:51 AM, Carl Hetherington via DCPomatic
<dcpomatic(a)carlh.net> wrote:
Hi Tobias,
That's an odd one. I'll put a message out onto the forums to see if
anybody knows what that actually means.
Do you have the same software versions running on the DSS200/Cat.745 in
all your auditoria?
Are you using DCP-o-matic's automatically-generated signing certificates?
(if you haven't imported your own certs, you will be).
Kind regards,
Carl
On Sat, 9 Jun 2018, Tobias Jingwall via DCPomatic wrote:
--
-mattias
Hi
When i'm trying to make a kdm key to my DCP clip i get this message
"Error - invalid/unauthorized clip signature"
It's working on some of the auditoriums.
We got DSS200 and Cat. No. 745
_______________________________________________
DCPomatic mailing list
DCPomatic(a)carlh.net
http://main.carlh.net/cgi-bin/mailman/listinfo/dcpomatic