DKDM loading doesn't work

[emperorstephen]

Hello all,
Deluxe studio has sent us a DKDM in order to unlock an encrypted DCP, so we can add our subtitles to it. We have sent them the leaf certificate and the DKDM they have sent us has an error of "This KDM was not made for DCP-o-matic's decryption certificate. Could not decrypt KDM (error:02000079:rsa routines::oaep decoding error) (256/2048)"

Before sending them the leaf certificate, we made a test run of with another laptop and another version of DCP-o-matic, and it was successful. We have notified them of the error in loading, re-sent the certificate and again the same problem. And they say that the DKDM they sent is for the leaf certificate we sent them and the mistake is on our end.
Is there some way to check their DKDM with our leaf certificate to see that it is indeed correct, and if there is an error to let know with tangible proof?

They also sent us this:
CPL ID(s):
e1d34016-d863-4dd0-98d6-cff407da0fb5
137121b8-d0ab-4b63-89c0-4acbce9573f2

If anyone has any info on how to solve it we would greatly appreciate it!

[carl]

Hi, if you can send the DKDM and your DCP-o-matic configuration (go to Tools -> Export preferences) I can have a look

carl@dcpomatic.com

[emperorstephen]

Hi Carl,
just sent them.
Many thanks!

[carl]

Hi Stephen

It looks like you sent them the wrong certificate. Did you use the "Export KDM decryption leaf certificate" button in preferences?

The KDM is made for the signing certificate, not the KDM decryption one.

If Deluxe don't want to remake the KDM we could make it work, but it would probably be easier to use the button I mention above and ask for a new KDM against that certificate.

[emperorstephen]

Hi Carl,
thanks for the info. We exported the certificate from where you said, I am attaching the screenshot from we exported it.

How could we make it work without them issuing a new one?

Thanks!

[carl]

That's odd - so you sent them dcpomatic_kdm_decryption_cert.pem that was in the ZIP you sent?

If so, it looks like they are making the KDM for the wrong key - I think they must be using one you sent previously, that they have kept?

We could prove this to them by showing that the "subject" of the KDM is not the same as the certificate.

To hack around it to make it work we'd need to modify your DCP-o-matic configuration. Is this the only project you are working on with KDMs, or do you have others? Also, what version of DCP-o-matic are you using?

[emperorstephen]

Yes, that is correct, we sent them the .pem file that was generated.
We also made a point to say to them to delete any previous file and use the new one attached (which we tested it with another computer successfuly).

If you could let me know what to show them, so we can prove that the mistake is on their end ?

"To hack around it to make it work we'd need to modify your DCP-o-matic configuration. Is this the only project you are working on with KDMs, or do you have others? Also, what version of DCP-o-matic are you using?"
Yes this is the only project we are working on, we are using the latest version Stable release: 2.18.17

[carl]

I did this on the certificate you sent

Code: Select all

shankly:~/tmp/kollias $ openssl x509 -text -in dcpomatic_kdm_decryption_cert.pem | grep Subject:
        Subject: O=dcpomatic.com, OU=dcpomatic.com, CN=CS.dcpomatic.smpte-430-2.LEAF, dnQualifier=blSHQb2CUc6fu/xY4zIw0I1nt0c=

This shows the subject for the certificate you sent. But looking in the KDM

Code: Select all

shankly:~/tmp/kollias $ cat 1000_DCPO-AHFF_Querer_EP-103-104_S_ES-XX_ES_51_2K_INDI_20240903_DLX_SMPTE_OV_2504220000_2506042359.kdm.xml | grep -C1 /Recipient
          <X509SubjectName>dnQualifier=g\+1sZR6RI3xtJKq7yhPzkKSBN9c=,CN=CS.dcpomatic.smpte-430-2.LEAF,OU=dcpomatic.com,O=dcpomatic.com</X509SubjectName>
        </Recipient>
        <CompositionPlaylistId>urn:uuid:137121b8-d0ab-4b63-89c0-4acbce9573f2</CompositionPlaylistId>

shows the recipient is different. And as it happens, this recipient is the same as your DoM signer certificate (the wrong one).

[carl]

I will email you a new config.xml.

[emperorstephen]

Thank you, solved!