Open GoogleCodeExporter opened 9 years ago
-UPDATE-
Have investigated and discovered it's related to multiple CA certificates i
provided with [-2] option. Providing a simple chain of 3 certificates appears
to let ODCP work properly (have not yet ingested on server, will forward
feedback)
Since i didn't find any info about this (not even in the help) does OpenDCP
support multiple CA certificates? If yes how they have to be passed through
command line to let OpenDcp recognize and manage them properly?
Thankyou in advance Terrence.
Original comment by timothy_...@hotmail.com
on 29 Aug 2012 at 12:37
It only supports 1 CA certificate. It's been awhile since I've looked at the
signature stuff, is there a reason to have multiple CA certs?
Original comment by terrenc...@gmail.com
on 6 Sep 2012 at 1:25
Hi Terrence
sorry for the delay and thank you for your kind replay.
I come with a nice update; the dcp created and signed with ODCP are correctly
ingested and managed by AAM TMS. I simulated some integrity corruptions (swap
asset, missing asset, binary corrupted asset), all errors were correctly
recognized so the signed dcp is working properly.
Regarding the CA cert, i was thinking about the case where the leaf cert is
supplied by third party authority, in that case the entire trust chain must be
supplied to the application signing the dcp; i'm missing anything?
Original comment by timothy_...@hotmail.com
on 18 Sep 2012 at 11:06
I'll have to refresh my memory on the signature stuff, I don't really have an
answer for the third party certificates.
Original comment by terrenc...@gmail.com
on 30 Sep 2012 at 2:48
[deleted comment]
Timothy, right: In digital cinema's signatures the complete (and verified)
chain of public key certificates is included. These chains will have at least 2
members. Chains with 4 or 5 members are comon. The length of certificate chains
is a function of a facility's internal organization. Different departments
might need to be able to issue certificates themselves etc.
It's useful to think of all of a chain's certificates (but the leaf/last) as
certificate authorities. There is no need to distinguish the self-signed root
certificate via switch -1 and the (possibly more than 1) intermediate
certificates via switch -2 like OpenDCP does it as of now (10/2012).
To be clear: Current OpenDCP allows you to provide exactly 1 intermediate
certificate. Like Terrence mentioned, that's the error you ran into.
A possibly better and easier way to handle this on OpenDCP's side would be to
accept and process an arbitrary number of certificates. The certs need to be
sorted along the issuers vector and verified anyway:
Self-signed is first (== Root ca) > find a cert issued by the previous >
recurse until leaf.
Original comment by t...@online.de
on 15 Oct 2012 at 6:59
Changing to enhancement
Original comment by terrenc...@gmail.com
on 12 Dec 2012 at 4:03
Original issue reported on code.google.com by
timothy_...@hotmail.com
on 28 Aug 2012 at 1:50