atst/tests/utils/test_pdf_verification.py

import pytest
from atst.utils.pdf_verification import pdf_signature_validations


def test_unsigned_pdf():
    unsigned_pdf = open("tests/fixtures/sample.pdf", "rb").read()
    result = pdf_signature_validations(pdf=unsigned_pdf)

    assert result == {"result": "FAILURE", "signature_count": 0, "signatures": []}


def test_valid_signed_pdf():
    valid_signed_pdf = open("tests/fixtures/sally-darth-signed.pdf", "rb").read()
    result = pdf_signature_validations(pdf=valid_signed_pdf)

    assert result == {
        "result": "OK",
        "signature_count": 2,
        "signatures": [
            {
                "cert_common_name": "WILLIAMS.SALLY.3453453453",
                "hashed_binary_data": "b879a15e19eece534dc63019d3fe539ff4a3efbf8e8f5403a8bdae26a9b713ea",
                "hashing_algorithm": "sha256",
                "is_valid": True,
                "is_valid_cert": True,
                "is_valid_hash": True,
                "is_valid_signature": True,
                "signers_serial": 9_662_248_800_192_484_626,
            },
            {
                "cert_common_name": "VADER.DARTH.9012345678",
                "hashed_binary_data": "d98339766c20a369219f236220d7b450111554acc902e242d015dd6d306c7809",
                "hashing_algorithm": "sha256",
                "is_valid": True,
                "is_valid_cert": True,
                "is_valid_hash": True,
                "is_valid_signature": True,
                "signers_serial": 9_662_248_800_192_484_627,
            },
        ],
    }


def test_signed_pdf_thats_been_modified():
    valid_signed_pdf = open("tests/fixtures/sally-darth-signed.pdf", "rb").read()
    modified_pdf = valid_signed_pdf.replace(b"PDF-1.6", b"PDF-1.7")
    result = pdf_signature_validations(pdf=modified_pdf)

    assert result == {
        "result": "FAILURE",
        "signature_count": 2,
        "signatures": [
            {
                "cert_common_name": "WILLIAMS.SALLY.3453453453",
                "hashed_binary_data": "d1fb3c955b57f139331586276ba4abca90ecc5d36b53fe6bbbbbd8707d7124bb",
                "hashing_algorithm": "sha256",
                "is_valid": False,
                "is_valid_cert": True,
                "is_valid_hash": False,
                "is_valid_signature": True,
                "signers_serial": 9_662_248_800_192_484_626,
            },
            {
                "cert_common_name": "VADER.DARTH.9012345678",
                "hashed_binary_data": "75ef47824de4b5477c75665c5a90e39a2b8a8985422cf2f7f641661a7b5217a8",
                "hashing_algorithm": "sha256",
                "is_valid": False,
                "is_valid_cert": True,
                "is_valid_hash": False,
                "is_valid_signature": True,
                "signers_serial": 9_662_248_800_192_484_627,
            },
        ],
    }


def test_signed_pdf_not_on_chain():
    signed_pdf_not_on_chain = open("tests/fixtures/signed-pdf-not-dod.pdf", "rb").read()
    result = pdf_signature_validations(pdf=signed_pdf_not_on_chain)

    assert result == {
        "result": "FAILURE",
        "signature_count": 1,
        "signatures": [
            {
                "cert_common_name": "John B Harris",
                "hashed_binary_data": "3f0047e6cb5b9bb089254b20d174445c3ba4f513",
                "hashing_algorithm": "sha1",
                "is_valid": False,
                "is_valid_cert": False,
                "is_valid_hash": True,
                "is_valid_signature": True,
                "signers_serial": 514,
            }
        ],
    }


@pytest.mark.skip(reason="Need fixture file")
def test_signed_pdf_dod_revoked():
    signed_pdf_dod_revoked = open(
        "tests/fixtures/signed-pdf-dod_revoked.pdf", "rb"
    ).read()
    result = pdf_signature_validations(pdf=signed_pdf_dod_revoked)

    assert result == {
        "result": "FAILURE",
        "signature_count": 1,
        "signatures": [
            {
                "cert_common_name": None,
                "hashed_binary_data": None,
                "hashing_algorithm": None,
                "is_valid": None,
                "is_valid_cert": None,
                "is_valid_hash": None,
                "signers_serial": None,
            }
        ],
    }


def test_signed_dod_pdf_signer_cert_expired():
    #
    # TODO: Is this good enough? Do we want an expired DOD certificate? This test is using
    #       a fake DOD certificate.
    #
    signed_pdf_dod_revoked = open("tests/fixtures/signed-expired-cert.pdf", "rb").read()
    result = pdf_signature_validations(pdf=signed_pdf_dod_revoked)

    assert result == {
        "result": "FAILURE",
        "signature_count": 1,
        "signatures": [
            {
                "cert_common_name": "Bob Alice",
                "hashed_binary_data": "bcfad46c89b1695325f5b6e73b589d086e3925ab384def6fcb13904991e69077",
                "hashing_algorithm": "sha256",
                "is_valid": False,
                "is_valid_cert": False,
                "is_valid_hash": True,
                "is_valid_signature": True,
                "signers_serial": -180_673_825_300_246_991_177_196,
            }
        ],
    }


@pytest.mark.skip(reason="TODO")
def test_crl_check_unavailable():
    pass