Signature with own certificates in CLI app

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Signing DCP providing my own certificates with options -s -1 "root.crt" -2 
"ca1.crt" [+ -2 "caXX.crt"+..] -3 "signer.crt" -p privkey.pem
2.
3.

What is the expected output? What do you see instead?
Expected DCP correctly signed; instead get a bunch of errors (private 
information only omitted):
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X5
09_verify_cert:error=4:crypto library function 
failed:subj=/O=XXX/OU=XXX/CN=XXX/dnQualifier=XXX=;err=2;msg=unable to get 
issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=380:obj=x509-store:subj=un
known:error=74:certificate issuer check failed:err=2;msg=unable to get issuer 
certificate;issuer=/O=XXX/OU=XXX/CN=XXX/dnQualifier=XXX
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X5
09_verify_cert:error=4:crypto library function 
failed:subj=/O=XXX/OU=XXX/CN=XXX/dnQualifier=XXX;err=20;msg=unable to get local 
issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=un
known:error=71:certificate verification failed:err=20;msg=unable to get local 
issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X5
09_verify_cert:error=4:crypto library function 
failed:subj=/O=XXX/OU=XXX/CN=XXX/dnQualifier=XXX;err=20;msg=unable to get local 
issuer certificate

Looks as OpenDCP correctly open and read my own certificates but somewhat 
information is missing.

What version of the product are you using? On what operating system?
latest build - Win x64 CLI version

Please provide any additional information below.
Have correctly generated my own certificate chain with .crt extension (pem, 
plain text ascii each one).
Certificates working properly in commercial application.
Don't know if i'm providing them correctly to OpenDCP since help reminds to PEM 
certificates, maybe i'm missing something? (Pem in this case relates to human 
readable base 64 ASCII text, am i wrong?)

Also tried to register an account on "dcinemaforum.org" but got this message 
"The user Timothy with Email myownemail@.. (IP ...) is a Spam, please contact 
forum administrator." So what?

Original issue reported on code.google.com by timothy_...@hotmail.com on 28 Aug 2012 at 1:50

[GoogleCodeExporter]

-UPDATE-

Have investigated and discovered it's related to multiple CA certificates i 
provided with [-2] option. Providing a simple chain of 3 certificates appears 
to let ODCP work properly (have not yet ingested on server, will forward 
feedback)
Since i didn't find any info about this (not even in the help) does OpenDCP 
support multiple CA certificates? If yes how they have to be passed through 
command line to let OpenDcp recognize and manage them properly?

Thankyou in advance Terrence.

Original comment by timothy_...@hotmail.com on 29 Aug 2012 at 12:37

[GoogleCodeExporter]

It only supports 1 CA certificate. It's been awhile since I've looked at the 
signature stuff, is there a reason to have multiple CA certs?

Original comment by terrenc...@gmail.com on 6 Sep 2012 at 1:25

[GoogleCodeExporter]

Hi Terrence

sorry for the delay and thank you for your kind replay.
I come with a nice update; the dcp created and signed with ODCP are correctly 
ingested and managed by AAM TMS. I simulated some integrity corruptions (swap 
asset, missing asset, binary corrupted asset), all errors were correctly 
recognized so the signed dcp is working properly.
Regarding the CA cert, i was thinking about the case where the leaf cert is 
supplied by third party authority, in that case the entire trust chain must be 
supplied to the application signing the dcp; i'm missing anything?

Original comment by timothy_...@hotmail.com on 18 Sep 2012 at 11:06

[GoogleCodeExporter]

I'll have to refresh my memory on the signature stuff, I don't really have an 
answer for the third party certificates.

Original comment by terrenc...@gmail.com on 30 Sep 2012 at 2:48

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Timothy, right: In digital cinema's signatures the complete (and verified) 
chain of public key certificates is included. These chains will have at least 2 
members. Chains with 4 or 5 members are comon. The length of certificate chains 
is a function of a facility's internal organization. Different departments 
might need to be able to issue certificates themselves etc.

It's useful to think of all of a chain's certificates (but the leaf/last) as 
certificate authorities. There is no need to distinguish the self-signed root 
certificate via switch -1 and the (possibly more than 1) intermediate 
certificates via switch -2 like OpenDCP does it as of now (10/2012).

To be clear: Current OpenDCP allows you to provide exactly 1 intermediate 
certificate. Like Terrence mentioned, that's the error you ran into.

A possibly better and easier way to handle this on OpenDCP's side would be to 
accept and process an arbitrary number of certificates. The certs need to be 
sorted along the issuers vector and verified anyway:

Self-signed is first (== Root ca) > find a cert issued by the previous > 
recurse until leaf.

Original comment by t...@online.de on 15 Oct 2012 at 6:59

[GoogleCodeExporter]

Changing to enhancement

Original comment by terrenc...@gmail.com on 12 Dec 2012 at 4:03

• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect