View Bug Details

IDProjectCategoryView StatusLast Update
0001422DCP-o-maticFeaturespublic2019-12-05 20:22
Reportercarl Assigned Tocarl  
PrioritynormalSeverityminorReproducibilityN/A
Status resolvedResolutionfixed 
Target Version2.16.0 
Summary0001422: Set the validity period of DCP-o-matic's certificates to start before "now" on creation
Description

Otherwise if DCP-o-matic is installed and then used straight away to create stuff, the validity times can be in the future to servers with badly-synced clocks.

Tagscorrectness, next
Branch
Estimated weeks required
Estimated work requiredMedium

Activities

Carsten

2018-12-02 14:22

manager   ~0002789

I would say this only concerns very rare circumstances where a new installation of DCP-o-matic is used immediately for the creation of encrypted content to be played out 'immediately'. Admittedly, it can happen. Some Dolby media blocks have clocks with unusually high drift rates, and if not corrected on a regular basis, can drift multiple days. And maybe this could also cause problems with the signing certificate if the server is picky.

I can see no reason why the certificate validity period couldn't be set to start a few days from the past.

  • Carsten

Carsten

2018-12-02 15:28

manager   ~0002790

Last edited: 2018-12-02 15:28

On a side note - our Sony was installed in March 2013. It was delivered from Japan sometime in February 2013. It was one of the very first units to be installed.

The media block certificate validity window is:

Tue, Dec 18, 2012 09:16 UTC — Thu, Dec 11, 2042 09:26 UTC

carl

2019-12-01 22:29

administrator   ~0003618

I've added checks into DoM v2.15.x which complain if the KDM validity period is outside (or close to being outside) the validity period of the certs, so this is more important now; as it stands, you can't install DoM then make a KDM starting on the same day (it seems wise to reject times which are close, to avoid timezone difficulties).

Sadly, setting the start time of certificates with OpenSSL the way DoM currently does it is very awkward, so this will need some work.

carl

2019-12-01 22:30

administrator   ~0003619

@carl seems like the options are

  • use openssl ca not openssl x509
  • remove these calls altogether and use the library direct
  • patch openssl so we can use x509 but specify start date

carl

2019-12-01 22:31

administrator   ~0003620

Last edited: 2019-12-02 23:29

@carl given the upheaval with any of these maybe it's time to do it "right" (i.e. option 2); having said that, there is so much horrid code in those front ends that it might be too painful. Then 3 seems tempting; apart from anything else it seems rather risky only to bundle the openssl binary on Windows (as we do now) and option 3 would bundle it everywhere.

carl

2019-12-02 23:35

administrator   ~0003623

Exploring the openssl hack in the clone of openssl git on git.carlh.net

carl

2019-12-03 23:04

administrator   ~0003624

openssl is patched; openssl branch of dcpomatic git is built on v2.15.x and tries to add the openssl binary in all the right places.

carl

2019-12-03 23:46

administrator   ~0003625

Last edited: 2019-12-05 20:21

Windows, ubuntu, appimage, fedora, mac seem to be ok.

carl

2019-12-05 20:22

administrator   ~0003627

d386392e79d59f0c5647b0d778348b72d7cd7069

Bug History

Date Modified Username Field Change
2018-12-01 22:01 carl New Bug
2018-12-02 14:22 Carsten Note Added: 0002789
2018-12-02 15:28 Carsten Note Added: 0002790
2018-12-02 15:28 Carsten Note Edited: 0002790
2019-01-09 01:08 carl Target Version 2.14.0 =>
2019-12-01 22:27 carl Tag Attached: next
2019-12-01 22:29 carl Note Added: 0003618
2019-12-01 22:29 carl Target Version => 2.16.0
2019-12-01 22:29 carl Estimated work required Unknown => Medium
2019-12-01 22:29 carl Tag Attached: correctness
2019-12-01 22:29 carl Status new => acknowledged
2019-12-01 22:30 carl Note Added: 0003619
2019-12-01 22:31 carl Note Added: 0003620
2019-12-02 23:27 carl Note Edited: 0003620
2019-12-02 23:29 carl Note Edited: 0003620
2019-12-02 23:35 carl Note Added: 0003623
2019-12-03 23:04 carl Note Added: 0003624
2019-12-03 23:46 carl Note Added: 0003625
2019-12-04 19:26 carl Note Edited: 0003625
2019-12-04 21:23 carl Note Edited: 0003625
2019-12-04 21:49 carl Note Edited: 0003625
2019-12-05 20:21 carl Note Edited: 0003625
2019-12-05 20:22 carl Assigned To => carl
2019-12-05 20:22 carl Status acknowledged => resolved
2019-12-05 20:22 carl Resolution open => fixed
2019-12-05 20:22 carl Note Added: 0003627