feat(timestamp): ensure signature is openssl compatible

This commit is contained in:
simon lehericey 2022-12-06 12:06:11 +01:00 committed by Paul Chavard
parent 86cda6a0b9
commit fe8bd15939
2 changed files with 80 additions and 0 deletions

View file

@ -12,5 +12,38 @@ class BillSignatureService
signature = Certigna::API.timestamp(bill.digest)
bill.set_signature(signature, day)
bill.save!
ensure_valid_signature(bill.reload)
rescue => error
operations.each { |o| o.update(bill_signature: nil) }
bill&.destroy
raise error
end
def self.ensure_valid_signature(bill)
Dir.mktmpdir do |dir|
operations_path = File.join(dir, 'operations')
File.write(operations_path, bill.serialized.download, mode: 'wb')
signature_path = File.join(dir, 'signature')
File.write(signature_path, bill.signature.download, mode: 'wb')
authorities_path = Rails.application.config.root.join('app', 'lib', 'certigna', 'authorities.crt').to_s
verify_cmd = "openssl ts -verify -CAfile #{authorities_path.shellescape} -data #{operations_path.shellescape} -in #{signature_path.shellescape} -token_in"
openssl_errors = nil
openssl_output = nil
process_status = Open3.popen3(verify_cmd) do |_stdin, stdout, stderr, wait_thr|
openssl_errors = stderr.read
openssl_output = stdout.read
wait_thr.value
end
if !process_status.success? || openssl_output&.strip != 'Verification: OK'
raise StandardError, "openssl verification failed: #{openssl_errors}"
end
end
end
end

View file

@ -32,4 +32,51 @@ describe BillSignatureService do
it { is_expected.to eq 0 }
end
end
describe ".sign_operations" do
let(:date) { Date.today }
let(:operations_hash) { [['1', 'hash1'], ['2', 'hash2']] }
let(:operations) do
operations_hash
.map { |id, digest| DossierOperationLog.new(id:, digest:, operation: 'accepter') }
end
let(:timestamp) { File.read('spec/fixtures/files/bill_signature/signature.der') }
subject { BillSignatureService.sign_operations(operations, date) }
before do
DossierOperationLog.where(id: [1, 2]).destroy_all
expect(Certigna::API).to receive(:timestamp).and_return(timestamp)
end
context "when everything is fine" do
it do
expect { subject }.not_to raise_error
expect(BillSignature.count).to eq(1)
end
end
context "when the digest does not match with the pre recorded timestamp token" do
let(:operations_hash) { [['1', 'hash1'], ['2', 'hash3']] }
it do
expect { subject }.to raise_error(/La validation a échoué : signature ne correspond pas à lempreinte/)
expect(BillSignature.count).to eq(0)
end
end
context "when the timestamp token cannot be verified by openssl" do
let(:timestamp) do
File.read('spec/fixtures/files/bill_signature/signature.der').tap { |s| s[-1] = 'd' }
end
it do
expect { subject }.to raise_error(/openssl verification failed/)
expect(BillSignature.count).to eq(0)
end
end
end
end