KDM validity period starts before or close to the start of the signing certificate validity period

Anything and everything to do with DCP-o-matic.
Carsten
Posts: 1581
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: KDM validity period starts before or close to the start of the signing certificate validity period

Post by Carsten »

I only get that message when I actually create KDMs with start or end date close to the signing cert validity period. I my case, using 2.15.47 with freshly created certs, that is one week ago until 2060. So, either you are trying to create very long validity KDMs, or your signing certs contain weird validity windows. Please check them using the mentioned cert decoder.

You mention running both 2.15.47 and 2.14.26 on the same machine - how do you do that, what OS is this in?

- Carsten

Alex Asp
Posts: 88
Joined: Mon Apr 11, 2016 3:59 am

Re: KDM validity period starts before or close to the start of the signing certificate validity period

Post by Alex Asp »

OK. Let's clarify some points.

1. I am getting this error message only when creating DKDMs from DOM. I need that to playback encrypted DCPs on my machine. On the other hand, KDMs from DOM created just fine. Nothing to do with start or end of validity period. I can't keep all DCPs on the machine so it's better to offload them to a backup medium and use DKDMs when new KDM is needed
2. I never issue KDMs valid longer than one week into the future.
3. I'm running MAC OS 10.15.1.MacPro 2012
4. DOM ver 2.15.47 resides in the Applications folder, the release version sits on another drive.

Here's the signing certificate contents:

-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIBBTANBgkqhkiG9w0BAQsFADB9MRYwFAYDVQQKEw1kY3Bv
bWF0aWMuY29tMRYwFAYDVQQLEw1kY3BvbWF0aWMuY29tMSQwIgYDVQQDExsuZGNw
b21hdGljLnNtcHRlLTQzMC0yLlJPT1QxJTAjBgNVBC4THDM2dWVsSWV6RzlzaFdB
M3Z4RUxrb0pWc3lyVT0wIBcNMTkxMjE0MTE0NjM2WhgPMjA1OTEyMTExMTQ2MzZa
MH0xFjAUBgNVBAoTDWRjcG9tYXRpYy5jb20xFjAUBgNVBAsTDWRjcG9tYXRpYy5j
b20xJDAiBgNVBAMTGy5kY3BvbWF0aWMuc21wdGUtNDMwLTIuUk9PVDElMCMGA1UE
LhMcMzZ1ZWxJZXpHOXNoV0EzdnhFTGtvSlZzeXJVPTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKJMg0obEVM3K3p5IY2rZrVh08bydTpNZNVQpZbALraT
Di55lIUnvhr7zfqGhmAzI2Tgwt2VGZKBk4rUGZIx/XSM0jXr04f8aq5Xku6DsI0V
GErW+pPF8WHtifVzVs3fk1cz+WiqrQ1vikRpn7gV14GnIgpmovsDKYj1RHOj+CWx
3kRJBwHorzfliAYlZeLY/sXk3cyGvzN3ihXZP4WOwxUP62KCmiBPsiovDkcU3UDt
mwVHzkK8UKB06IxvLYHiZCwVigY/aJY6hlKbY6Ne0XIYDd+WxMvGDrYFg1tLP7ky
Ht519qxSf/OsGXMnQDUhZQYle2yswDX72aKVjVmx3rsCAwEAAaOB7jCB6zASBgNV
HRMBAf8ECDAGAQH/AgEDMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU36uelIezG9sh
WA3vxELkoJVsyrUwgagGA1UdIwSBoDCBnYAU36uelIezG9shWA3vxELkoJVsyrWh
gYGkfzB9MRYwFAYDVQQKEw1kY3BvbWF0aWMuY29tMRYwFAYDVQQLEw1kY3BvbWF0
aWMuY29tMSQwIgYDVQQDExsuZGNwb21hdGljLnNtcHRlLTQzMC0yLlJPT1QxJTAj
BgNVBC4THDM2dWVsSWV6RzlzaFdBM3Z4RUxrb0pWc3lyVT2CAQUwDQYJKoZIhvcN
AQELBQADggEBAAJLJEXnD+UCwZbvNBfJJnKO4juG4KxQRhaSptBMKTI4eQG/kuz7
0ryqeMXOd+dpNsnuDKCiWrPOgxGVM796PAZmtn567vI/jG9qmvpioAfzyXj/TJXb
kHKPWtnkd0Sqt7mTaFjLfoSNkZ21rtvHRyKW4Y4dPA2cjxnTNbk8P++iEaLYiJGi
6NVG8dEziyGNPYUFcHl8O0sKQ89yCYXJxrYvfOM7z/VOY6nCmUe2Rl+9AaVHf0kX
FFU9FKt65bNM4zA4S9lr5jdhTC/CXDQ4D3vvzSyLaibxE8Bl7eTn/kHRGj5t3uEc
DGYq1vxgK5F1fizoWgeECabfCkSLs5sxrFg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEbzCCA1egAwIBAgIBBjANBgkqhkiG9w0BAQsFADB9MRYwFAYDVQQKEw1kY3Bv
bWF0aWMuY29tMRYwFAYDVQQLEw1kY3BvbWF0aWMuY29tMSQwIgYDVQQDExsuZGNw
b21hdGljLnNtcHRlLTQzMC0yLlJPT1QxJTAjBgNVBC4THDM2dWVsSWV6RzlzaFdB
M3Z4RUxrb0pWc3lyVT0wIBcNMTkxMjE0MTE0NjM2WhgPMjA1OTEyMTAxMTQ2MzZa
MIGFMRYwFAYDVQQKEw1kY3BvbWF0aWMuY29tMRYwFAYDVQQLEw1kY3BvbWF0aWMu
Y29tMSwwKgYDVQQDEyMuZGNwb21hdGljLnNtcHRlLTQzMC0yLklOVEVSTUVESUFU
RTElMCMGA1UELhMccTVJN0hxOXliUzlhbThVVENMcXpvT0VlQ3pvPTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALD8p/FlYvuejsrMkKx67BmhpFlSpVsT
BffSCyMZ23PKv/soITaEdBq9TiWopY+DUFwAA4xPzxPcFHvXfvkwa3o+CthG4ZfR
M1mEJBUxDSS9INRE19WWyu3i27qEO+bbx1+8ypZC9DOHUg+dyZOqPsmCeW5Gem/W
SrK4/BikkIgcRPiMYhbi39TNoP/GXbqbACwqNmJ3yw2tSrpXZSe7S4lNTUZAYvTx
jHbmnWaOn2sAyxaFohJRC6CkeOfv+MvSeuaPWIzY7hvW/qgvDZapfmo5VES8tuQ8
5cwG969EjLInHosvk8qjlUb9Zhg9yTG55JZepWY+MeFg4F2T+n5eTC8CAwEAAaOB
7jCB6zASBgNVHRMBAf8ECDAGAQH/AgECMAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU
q5I7Hq9ybS9am8UTCLqzoOEeCzowgagGA1UdIwSBoDCBnYAU36uelIezG9shWA3v
xELkoJVsyrWhgYGkfzB9MRYwFAYDVQQKEw1kY3BvbWF0aWMuY29tMRYwFAYDVQQL
Ew1kY3BvbWF0aWMuY29tMSQwIgYDVQQDExsuZGNwb21hdGljLnNtcHRlLTQzMC0y
LlJPT1QxJTAjBgNVBC4THDM2dWVsSWV6RzlzaFdBM3Z4RUxrb0pWc3lyVT2CAQUw
DQYJKoZIhvcNAQELBQADggEBAFTw1++gWY7OmOg7hWPjhdwCQEtEFkcCNT5E4uXH
s396qztpNKAGvib9TVSyMicOMWGm7PcbuMXIMh33FeUAZV2FnoNX6schZTcdgd46
y5nTSPUvprljuLhGP5xDNnHFEkFeKzwiTWyRvwRanxt6aUG1pQvbTXrV4oANyZN2
AYElWj+Hs0DnQkavDX5HMZEcKT1SmulPMkMmzMd7c2NIAUEaimDn1ZscPa5PKsD6
oboY29IjwF3u6UzeslX8QQEGw/+VfiB16r0i48ed/WTZrXUzO27wPVQjkPTFOhUc
m+0mipJLkuzAnogywigSbz7ddLTfCKv9qyAKLIJMn2NPz18=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEazCCA1OgAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBhTEWMBQGA1UEChMNZGNw
b21hdGljLmNvbTEWMBQGA1UECxMNZGNwb21hdGljLmNvbTEsMCoGA1UEAxMjLmRj
cG9tYXRpYy5zbXB0ZS00MzAtMi5JTlRFUk1FRElBVEUxJTAjBgNVBC4THHE1STdI
cTl5YlM5YW04VVRDTHF6b09FZUN6bz0wIBcNMTkxMjE0MTE0NjM2WhgPMjA1OTEy
MDkxMTQ2MzZaMH8xFjAUBgNVBAoTDWRjcG9tYXRpYy5jb20xFjAUBgNVBAsTDWRj
cG9tYXRpYy5jb20xJjAkBgNVBAMTHUNTLmRjcG9tYXRpYy5zbXB0ZS00MzAtMi5M
RUFGMSUwIwYDVQQuExxCdStaUlhmWkVOVTA5UmtjbjNpSndvZmttcTQ9MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJQgZ1O32GIk9Ihs7/xey15quT5K
lf4j6p1/GgBtsU4oyfoL5Q2mheDvGk2MrXPIBOxzR+rwIss4lv7vQ3V5YdnaHjkR
jNEjQP+69gQt21b2vDry4L4A1FlyO0zP9aGI5KpG98uG1HKc0PC3MmBqGFVIYuy4
wCsSx7TGVHR5RgIzDxLVdFKqV6J37YN6rr3NVB0PxFVI2b6ISBoS+go2q8QF+AJO
cI096Roe9qoy0afCMLjHF1xOeQGLUSxRvkiKIsbOYCvZ/8mHQz4LqisFC4fMejpT
bCwLS86y41wN2XVZQgcksg3wTyBCsWzvcHbgLhvDI8odaxJVP4GajM5gPwIDAQAB
o4HoMIHlMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgWgMB0GA1UdDgQWBBQG75lF
d9kQ1TT1GRyfeInCh+SarjCBqAYDVR0jBIGgMIGdgBSrkjser3JtL1qbxRMIurOg
4R4LOqGBgaR/MH0xFjAUBgNVBAoTDWRjcG9tYXRpYy5jb20xFjAUBgNVBAsTDWRj
cG9tYXRpYy5jb20xJDAiBgNVBAMTGy5kY3BvbWF0aWMuc21wdGUtNDMwLTIuUk9P
VDElMCMGA1UELhMcMzZ1ZWxJZXpHOXNoV0EzdnhFTGtvSlZzeXJVPYIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAhbuld4BNfr0X9TIUY7r8/PHjjeiwXmID4zHtny1Lumiw
XuKm8Fi3Lo0hHBCZMbzy4z5638b8RqleyE7vEhB7WVeow5ITyUbk/MWgQiQxs7OL
kwWHSHfb6XcLiIezsp4YLVNqifmy8aX/E3SJXwjVsqTMG5plt+eqU+T9Rn6mDjPX
ph2XZ/z9LZqY4lPZEep+EGzyC5yhFc7gB95ZaiKE28dQuvqx3FnKO1rznLlci+H1
l3teOM2w3RLJ/KVfgqfg5f8m7TwiHud+eWF/41r3b5tZGGlk40HMBboaidV2jeTy
IsKj3RBUNhfIUxL6H+gJVHVPq8fvWPqqbJ140PvdTw==
-----END CERTIFICATE-----

Carsten
Posts: 1581
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: KDM validity period starts before or close to the start of the signing certificate validity period

Post by Carsten »

Okay, that signing cert is valid from dec 2019 through december 2059 and should not cause any trouble.


So, there obviously seems to be a bug in 2.15.x.

Let me see...

I guess I see what the problem is. With KDMs, you can select the validity window yourself. As DKDMs have to follow the same formal definition, DKDMs need a validity window just as well. DCP-o-matic chooses that validity window all by itself when creating DKDMs, and set's it very long - I checked DKDMs created with 2.10.5 and 2.15.47, and their validity window are the same - from 2012 through 2112. While the signing cert window obviously is much shorter.
So, as that signing cert validity window check is new in 2.15.x, you run into that issue. 2.14.x simply doesn't perform that check.
I guess the best way to solve this would be to create DKDMs with about the same validity window as the current signing cert.

For now, you probably need to use 2.14.x to create a DKDM.

You can have different DCP-o-matic versions on the same drive without any problems. I create subfolders in my app folder for this - e.g. DOM2_14_31, DOM2_15_47. They all share the same prefs.

- Carsten
Last edited by Carsten on Tue Mar 10, 2020 9:56 pm, edited 1 time in total.

Carsten
Posts: 1581
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: KDM validity period starts before or close to the start of the signing certificate validity period

Post by Carsten »

So, it seems there is a bug in 2.15.47 that hits under certain conditions. Carl will probably have a fix ready in no time. Until then, you should probably use 2.14.31 to create the DKDM. Everything else should be fine.

- Carsten

Post Reply