View Issue Details

IDProjectCategoryView StatusLast Update
0001218DCP-o-maticBugspublic2018-10-17 20:15
Reportercarl Assigned Tocarl  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Target Version2.12.0 
Summary0001218: O/OU/etc. strings in certificates are marked as UTF8STRING not PRINTABLESTRING

which trips a warning in Waimea. a070086131e245384c22a68d6a859d40aa84bd3e in libdcp may fix this.

Steps To Reproduce

openssl asn1parse < cert

with a pem-encoded cert shows the problem; I think nothing should be marked UTF8STRING, everything should be PRINTABLESTRING.

TagsNo tags attached.
Estimated weeks required
Estimated work requiredUnknown



2018-02-28 01:00

manager   ~0002214

Could this have to do with our SONY SMPTE DCP validation/KDM issue?


2018-02-28 01:03

administrator   ~0002215

You never know your luck... the reporter is hoping to test out the fix to see if Waimea stops complaining; if it works I'll put it into v2.12.0 I think.


2018-02-28 01:26

manager   ~0002218

Can you supply a short test SMPTE DCP with that test version?

I updated our Sony to 1.53.4 a while ago - that is ONE step behind the version that is said to fix the SMPTE validation issues for 'some DCPs'. If I update now to 1.54, we may never know what caused the issue. Don't know how far behind the typical Sony installation is. Most german users I know are on some 1.5x version, but not all are on 1.54. As Sony introduces not many feature updates, the incentive to update is rather small.

  • Carsten


2018-02-28 01:31

administrator   ~0002219


2018-02-28 14:07

manager   ~0002227

Got it, will check this evening.

  • Carsten


2018-02-28 19:14

manager   ~0002232

Is that fix already in 2.11.68? I see some change on the Sony, but only for validation, not for verification.
I have to check with older versions, though...

  • Carsten


2018-02-28 19:59

administrator   ~0002233

Not in 2.11.68. I'm waiting on the Waimea check. Also it needs the signing certificates to be regenerated so it may need some UI to offer that when the program starts.


2018-03-06 00:33

administrator   ~0002267

Reporter confirms that this change works (no longer trips Waimea check). This needs to be added to 2.12.x, probably with a prompt to re-make your certificates.


2018-03-06 00:59

manager   ~0002268

No way to recreate valid new certs automatically?

  • Carsten


2018-03-06 01:14

administrator   ~0002269

Probably... though in theory people might have imported certs that they want to keep. Fairly unlikely mind you. I think it could be automatic if you agree.


2018-03-06 12:48

manager   ~0002270

Last edited: 2018-03-06 13:03

Alright, so the issue it is not the handling/storing/application of certs in general, but 'just' the creation of new certs?

Could DCP-o-matic detect self-generated certs and correct only those?

Maybe I am reading too much in this issue, I am just nervous that people may lose their certificate/encrypted DCP/KDM database, and maybe without knowing/understanding it?

  • Carsten


2018-03-06 14:52

administrator   ~0002271

Yes, it's the creation. It's possible that we can fix the problem without creating new certs. Agreed on the risks to encrypted content.


2018-03-08 00:28

administrator   ~0002285

@carl asn1_parse2 shows how to do it; ASN1_get_object?


2018-03-09 00:58

administrator   ~0002286

6d770c4c8c79569871edc20253f29f9ea00539e6 in master will offer to fix signer chains on startup if they are wrong. I'll leave decryption chains for now as I think they are much less critical: the only bad situation I can think of is some other software not liking a decryption cert when it's making a KDM...


2018-03-10 15:35

manager   ~0002291

Last edited: 2018-03-10 15:39

Okay, so techwise, this would be an issue with both signing and encryption, and for now, the fix only targets signing certs?
That Waimea warning mentioned above trips a warning based on signer certificate, or encryption, or both? Maybe add a line to the text saying that encryption/KDMs of existing DCPs is not harmed by recreating the certs? Even if there was a string freeze towards 2.12, we should probably make this localizable?

Admittedly, those not understanding the term 'signing certificate' will hardly be able to make an educated decision there anyway? I just hate it when an app asks things many users are not able to understand ;-) Like Antivirus programs asking a user what to do with ''...

  • Carsten

Issue History

Date Modified Username Field Change
2018-02-28 00:27 carl New Issue
2018-02-28 01:00 Carsten Note Added: 0002214
2018-02-28 01:03 carl Note Added: 0002215
2018-02-28 01:26 Carsten Note Added: 0002218
2018-02-28 01:31 carl Note Added: 0002219
2018-02-28 14:07 Carsten Note Added: 0002227
2018-02-28 19:14 Carsten Note Added: 0002232
2018-02-28 19:59 carl Note Added: 0002233
2018-03-06 00:33 carl Note Added: 0002267
2018-03-06 00:33 carl Assigned To => carl
2018-03-06 00:33 carl Status new => confirmed
2018-03-06 00:59 Carsten Note Added: 0002268
2018-03-06 01:14 carl Note Added: 0002269
2018-03-06 12:48 Carsten Note Added: 0002270
2018-03-06 13:03 Carsten Note Edited: 0002270
2018-03-06 14:52 carl Note Added: 0002271
2018-03-08 00:28 carl Note Added: 0002285
2018-03-09 00:58 carl Status confirmed => resolved
2018-03-09 00:58 carl Resolution open => fixed
2018-03-09 00:58 carl Note Added: 0002286
2018-03-10 15:35 Carsten Note Added: 0002291
2018-03-10 15:36 Carsten Note Edited: 0002291
2018-03-10 15:39 Carsten Note Edited: 0002291
2018-10-17 20:15 carl Status resolved => closed