[feat] implement OpenSSL::PKCS7::SignerInfo#signed_time (#269)

jruby · Apr 8, 2024 · 04de740 · 04de740
1 parent 461ed98
commit 04de740
Show file tree

Hide file tree

Showing 3 changed files with 139 additions and 2 deletions.
diff --git a/src/main/java/org/jruby/ext/openssl/PKCS7.java b/src/main/java/org/jruby/ext/openssl/PKCS7.java
@@ -29,8 +29,10 @@
 
 import java.io.IOException;
 import java.io.StringWriter;
+import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 
@@ -39,6 +41,7 @@
 import java.security.cert.CertificateEncodingException;
 
 import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1UTCTime;
 
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
@@ -49,6 +52,7 @@
 import org.jruby.RubyNumeric;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
+import org.jruby.RubyTime;
 import org.jruby.anno.JRubyClass;
 import org.jruby.anno.JRubyMethod;
 import org.jruby.exceptions.RaiseException;
@@ -738,8 +742,20 @@ public IRubyObject serial() {
 
         @JRubyMethod
         public IRubyObject signed_time(final ThreadContext context) {
-            warn(context, "WARNING: unimplemented method called: OpenSSL::PKCS7::SignerInfo#signed_time");
-            return context.runtime.getNil();
+            ASN1Encodable asn1obj = info.getSignedAttribute(ASN1Registry.NID_pkcs9_signingTime);
+            if (asn1obj == null) {
+                throw newPKCS7Error(context.runtime, "no signing time attribute");
+            }
+            if (asn1obj instanceof ASN1UTCTime) {
+                final Date adjusted;
+                try {
+                    adjusted = ((ASN1UTCTime) asn1obj).getAdjustedDate();
+                } catch (ParseException ex) {
+                    throw newPKCS7Error(context.runtime, ex);
+                }
+                return RubyTime.newTime(context.runtime, adjusted.getTime());
+            }
+            return context.nil;
         }
     }
 

diff --git a/src/test/ruby/fixtures/pkey/rsa2048 b/src/test/ruby/fixtures/pkey/rsa2048
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN
+s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign
+4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D
+kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl
+NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J
+DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb
+I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq
+PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V
+seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0
+Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc
+VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW
+wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G
+0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj
+XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb
+aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n
+h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw
+Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k
+IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb
+v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId
+U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr
+vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS
+Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC
+9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41
+gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG
+4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw==
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/ruby/pkcs7/test_pkcs7.rb b/src/test/ruby/pkcs7/test_pkcs7.rb
@@ -1,4 +1,5 @@
 # coding: US-ASCII
+require File.expand_path('../test_helper', File.dirname(__FILE__))
 
 module PKCS7Test
   class TestPKCS7 < TestCase
@@ -889,5 +890,98 @@ def test_enveloped
     end
 
   end
+
+  # NOTE: based on MRI's test_pkcs7.rb
+  class TestOpenSSL < TestCase
+    def setup
+      @rsa1024 = Fixtures.pkey("rsa1024")
+      @rsa2048 = Fixtures.pkey("rsa2048")
+      ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+      ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1")
+      ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2")
+
+      ca_exts = [
+        ["basicConstraints","CA:TRUE",true],
+        ["keyUsage","keyCertSign, cRLSign",true],
+        ["subjectKeyIdentifier","hash",false],
+        ["authorityKeyIdentifier","keyid:always",false],
+      ]
+      @ca_cert = issue_cert(ca, @rsa2048, 1, ca_exts, nil, nil)
+      ee_exts = [
+        ["keyUsage","Non Repudiation, Digital Signature, Key Encipherment",true],
+        ["authorityKeyIdentifier","keyid:always",false],
+        ["extendedKeyUsage","clientAuth, emailProtection, codeSigning",false],
+      ]
+      @ee1_cert = issue_cert(ee1, @rsa1024, 2, ee_exts, @ca_cert, @rsa2048)
+      @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048)
+    end
+
+    def test_signed
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      ca_certs = [@ca_cert]
+
+      data = "aaaaa\r\nbbbbb\r\nccccc\r\n"
+      tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs)
+      p7 = OpenSSL::PKCS7.new(tmp.to_der)
+      certs = p7.certificates
+      signers = p7.signers
+      assert(p7.verify([], store))
+      assert_equal(data, p7.data)
+      assert_equal(2, certs.size)
+      assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+      assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+      assert_equal(1, signers.size)
+      assert_equal(@ee1_cert.serial, signers[0].serial)
+      assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+      # Normally OpenSSL tries to translate the supplied content into canonical
+      # MIME format (e.g. a newline character is converted into CR+LF).
+      # If the content is a binary, PKCS7::BINARY flag should be used.
+
+      data = "aaaaa\nbbbbb\nccccc\n"
+      flag = OpenSSL::PKCS7::BINARY
+      tmp = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, ca_certs, flag)
+      assert_equal OpenSSL::PKCS7, tmp.class
+
+      p7 = OpenSSL::PKCS7.new(tmp.to_der)
+      certs = p7.certificates
+      signers = p7.signers
+      assert(p7.verify([], store))
+      assert_equal(data, p7.data)
+      assert_equal(2, certs.size)
+      assert_equal(@ee1_cert.subject.to_s, certs[0].subject.to_s)
+      assert_equal(@ca_cert.subject.to_s, certs[1].subject.to_s)
+      assert_equal(1, signers.size)
+      assert_equal(@ee1_cert.serial, signers[0].serial)
+      assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+
+      # A signed-data which have multiple signatures can be created
+      # through the following steps.
+      #   1. create two signed-data
+      #   2. copy signerInfo and certificate from one to another
+
+      tmp1 = OpenSSL::PKCS7.sign(@ee1_cert, @rsa1024, data, [], flag)
+      tmp2 = OpenSSL::PKCS7.sign(@ee2_cert, @rsa1024, data, [], flag)
+      tmp1.add_signer(tmp2.signers[0])
+      tmp1.add_certificate(@ee2_cert)
+
+      p7 = OpenSSL::PKCS7.new(tmp1.to_der)
+      certs = p7.certificates
+      signers = p7.signers
+      assert(p7.verify([], store))
+      assert_equal(data, p7.data)
+      assert_equal(2, certs.size)
+      assert_equal(2, signers.size)
+      assert_equal(@ee1_cert.serial, signers[0].serial)
+      assert_equal(@ee1_cert.issuer.to_s, signers[0].issuer.to_s)
+      assert_equal(@ee2_cert.serial, signers[1].serial)
+      assert_equal(@ee2_cert.issuer.to_s, signers[1].issuer.to_s)
+
+      assert signers[0].signed_time
+      assert_equal Time, signers[1].signed_time.class
+    end
+
+  end
 end