"kdm was made for dcp-o-matic but "not for its leaf certificate"

Anything and everything to do with DCP-o-matic.
sup
Posts: 45
Joined: Thu Feb 16, 2017 11:07 am

"kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by sup »

I am trying to open an uncrypted DCP with a KDM I was issued. I get the error "kdm was made for dcp-o-matic but not for its leaf certificate".

What does it mean? do I need to ask the issuer of the DKMD for a new DKDM (and what did they do wrong?) or can I subvert this somehow?
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by Carsten »

In order for 'someone' to issue a KDM for your DCP-o-matic installation, you have to supply your DCP-o-matic certificate to them. You probably did that, but gave them the wrong certificate - maybe the root or intermediate certificate. In order to decrypt a DCP, it needs to be the leaf certificate.

That - or there is a bug in DCP-o-matic. I suggest you export the leaf certificate only, send it to them, and let them reissue the KDM.

- Carsten
sup
Posts: 45
Joined: Thu Feb 16, 2017 11:07 am

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by sup »

Well, indeed, I sent them both my leaf certificate and the certificate chain (I saw it recomended here to send the whole chain, but apparently, it has its own pitfalls).

Out of curiosity, how can I check which certificate it was issued against?

And also, what is the use of intermediate and root certificates then?
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by Carsten »

The leaf certificate is immediately used for decryption. The intermediate and root certificates are only used to trace/reference the leaf certificate towards an authorization entity. They can be used to identify a leaf certificate to be trusted, but they are not involved in the actual process of decryption.

- Carsten
sup
Posts: 45
Joined: Thu Feb 16, 2017 11:07 am

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by sup »

Indeed. But tracing the leaf certificate to a authorization entity only traces it to a self-signed certificate that is unique to my install (I can see why that is due to DOM being open source).

Anyway, they issued the DKDM against my root certificate. Inside the DKMD, there was a line identifying it:

Code: Select all

<ds:X509IssuerName>dnQualifier=sP5klKED5qrR3lni5Himr02XoFw=,CN=.dcpomatic.smpte-430-2.ROOT,OU=dcpomatic.com,O=dcpomatic.com</ds:X509IssuerName>
Also, when one exports the certificates from DOM one by one and then unpacks them with:

Code: Select all

openssl x509 -in certificate.pem -text -noout >certificate.txt
one can see the fields

Code: Select all

X509v3 Subject Key Identifier
X509v3 Subject Authority Identifier:
to trace what was signed by what and the line

Code: Select all

Subject:
gives away if the certificate in question is roo, intermediate or leaf.

So I will ask them to send me a new DKDM.
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by Carsten »

In general, it is safer to only supply the leaf certificate (also for projection equipment). If they need the full chain, they will usually request it specifically, or, they have means to inquire it from the equipment manufacturer from their TDL databases.

- Carsten
sup
Posts: 45
Joined: Thu Feb 16, 2017 11:07 am

Re: "kdm was made for dcp-o-matic but "not for its leaf certificate"

Post by sup »

Yes, I have seen this advice on the forum after searching it fairly frequently. Unfortunately, I only did that search now, before I read only one thread where they specifically asked for the whole thing. Well, at least now I know something about certificates:-).