Merge pull request #711 from dod-ccpo/pdf-signature-verification

Verify PDF signatures
2019-03-20 15:35:55 -04:00
parent 73414d50e3 5572452cc0
commit 27314b8120
8 changed files with 419 additions and 39 deletions
--- a/tests/fixtures/sally-darth-signed.pdf
+++ b/tests/fixtures/sally-darth-signed.pdf
--- a/tests/fixtures/signed-expired-cert.pdf
+++ b/tests/fixtures/signed-expired-cert.pdf
--- a/tests/fixtures/signed-pdf-not-dod.pdf
+++ b/tests/fixtures/signed-pdf-not-dod.pdf
--- a/tests/utils/test_pdf_verification.py
+++ b/tests/utils/test_pdf_verification.py
@@ -0,0 +1,145 @@
+import pytest
+
+import cryptography
+from atst.domain.authnid.crl import CRLCache, CRLRevocationException
+from atst.utils.pdf_verification import pdf_signature_validations
+
+
+@pytest.fixture
+def crl_check():
+    def _crl_check(signers_cert):
+        try:
+            cache = CRLCache(
+                "ssl/server-certs/ca-chain.pem",
+                crl_locations=["ssl/client-certs/client-ca.der.crl"],
+            )
+            return cache.crl_check(signers_cert)
+        except CRLRevocationException:
+            return False
+
+    return _crl_check
+
+
+def test_unsigned_pdf(crl_check):
+    unsigned_pdf = open("tests/fixtures/sample.pdf", "rb").read()
+    result = pdf_signature_validations(pdf=unsigned_pdf, crl_check=crl_check)
+
+    assert result == {"result": False, "signature_count": 0, "signatures": []}
+
+
+def test_valid_signed_pdf(crl_check):
+    valid_signed_pdf = open("tests/fixtures/sally-darth-signed.pdf", "rb").read()
+    result = pdf_signature_validations(pdf=valid_signed_pdf, crl_check=crl_check)
+
+    assert result == {
+        "result": True,
+        "signature_count": 2,
+        "signatures": [
+            {
+                "cert_common_name": "WILLIAMS.SALLY.3453453453",
+                "hashed_binary_data": "b879a15e19eece534dc63019d3fe539ff4a3efbf8e8f5403a8bdae26a9b713ea",
+                "hashing_algorithm": "sha256",
+                "is_valid": True,
+                "is_valid_cert": True,
+                "is_valid_hash": True,
+                "is_valid_signature": True,
+                "signers_serial": 9_662_248_800_192_484_626,
+            },
+            {
+                "cert_common_name": "VADER.DARTH.9012345678",
+                "hashed_binary_data": "d98339766c20a369219f236220d7b450111554acc902e242d015dd6d306c7809",
+                "hashing_algorithm": "sha256",
+                "is_valid": True,
+                "is_valid_cert": True,
+                "is_valid_hash": True,
+                "is_valid_signature": True,
+                "signers_serial": 9_662_248_800_192_484_627,
+            },
+        ],
+    }
+
+
+def test_signed_pdf_thats_been_modified(crl_check):
+    valid_signed_pdf = open("tests/fixtures/sally-darth-signed.pdf", "rb").read()
+    modified_pdf = valid_signed_pdf.replace(b"PDF-1.6", b"PDF-1.7")
+    result = pdf_signature_validations(pdf=modified_pdf, crl_check=crl_check)
+
+    assert result == {
+        "result": False,
+        "signature_count": 2,
+        "signatures": [
+            {
+                "cert_common_name": "WILLIAMS.SALLY.3453453453",
+                "hashed_binary_data": "d1fb3c955b57f139331586276ba4abca90ecc5d36b53fe6bbbbbd8707d7124bb",
+                "hashing_algorithm": "sha256",
+                "is_valid": False,
+                "is_valid_cert": True,
+                "is_valid_hash": False,
+                "is_valid_signature": True,
+                "signers_serial": 9_662_248_800_192_484_626,
+            },
+            {
+                "cert_common_name": "VADER.DARTH.9012345678",
+                "hashed_binary_data": "75ef47824de4b5477c75665c5a90e39a2b8a8985422cf2f7f641661a7b5217a8",
+                "hashing_algorithm": "sha256",
+                "is_valid": False,
+                "is_valid_cert": True,
+                "is_valid_hash": False,
+                "is_valid_signature": True,
+                "signers_serial": 9_662_248_800_192_484_627,
+            },
+        ],
+    }
+
+
+def test_signed_pdf_that_has_invalid_signature(mocker):
+    def mock_crl_check(_):
+        return True
+
+    mocker.patch.object(
+        cryptography.hazmat.backends.openssl.rsa._RSAPublicKey, "verify", Exception()
+    )
+
+    valid_signed_pdf = open("tests/fixtures/signed-pdf-not-dod.pdf", "rb").read()
+    result = pdf_signature_validations(pdf=valid_signed_pdf, crl_check=mock_crl_check)
+
+    assert result == {
+        "result": False,
+        "signature_count": 1,
+        "signatures": [
+            {
+                "cert_common_name": "John B Harris",
+                "hashed_binary_data": "3f0047e6cb5b9bb089254b20d174445c3ba4f513",
+                "hashing_algorithm": "sha1",
+                "is_valid": False,
+                "is_valid_cert": True,
+                "is_valid_hash": True,
+                "is_valid_signature": False,
+                "signers_serial": 514,
+            }
+        ],
+    }
+
+
+@pytest.mark.skip(reason="Need fixture file")
+def test_signed_pdf_dod_revoked(crl_check):
+    signed_pdf_dod_revoked = open(
+        "tests/fixtures/signed-pdf-dod_revoked.pdf", "rb"
+    ).read()
+    result = pdf_signature_validations(pdf=signed_pdf_dod_revoked, crl_check=crl_check)
+
+    assert result == {
+        "result": False,
+        "signature_count": 1,
+        "signatures": [
+            {
+                "cert_common_name": None,
+                "hashed_binary_data": None,
+                "hashing_algorithm": None,
+                "is_valid": None,
+                "is_valid_cert": None,
+                "is_valid_hash": None,
+                "signers_serial": None,
+            }
+        ],
+    }