easy_code_sign 0.1.0

data/test/verification_test.rb

@@ -0,0 +1,350 @@
+# frozen_string_literal: true
+
+require "test_helper"
+require "tempfile"
+
+class VerificationResultTest < Minitest::Test
+  def test_initializes_with_default_values
+    result = EasyCodeSign::Verification::Result.new
+
+    refute result.valid?
+    refute result.signature_valid?
+    refute result.integrity_valid?
+    refute result.certificate_valid?
+    refute result.chain_valid?
+    refute result.trusted?
+    refute result.timestamped?
+    assert_empty result.errors
+    assert_empty result.warnings
+  end
+
+  def test_add_error
+    result = EasyCodeSign::Verification::Result.new
+    result.add_error("Test error")
+
+    assert_includes result.errors, "Test error"
+  end
+
+  def test_add_warning
+    result = EasyCodeSign::Verification::Result.new
+    result.add_warning("Test warning")
+
+    assert_includes result.warnings, "Test warning"
+  end
+
+  def test_certificate_expired_returns_true_for_expired_cert
+    result = EasyCodeSign::Verification::Result.new
+
+    cert = OpenSSL::X509::Certificate.new
+    cert.not_before = Time.now - 86_400 * 365
+    cert.not_after = Time.now - 86_400 # Expired yesterday
+
+    result.signer_certificate = cert
+
+    assert result.certificate_expired?
+  end
+
+  def test_certificate_expired_returns_false_for_valid_cert
+    result = EasyCodeSign::Verification::Result.new
+
+    cert = OpenSSL::X509::Certificate.new
+    cert.not_before = Time.now - 86_400
+    cert.not_after = Time.now + 86_400 * 365
+
+    result.signer_certificate = cert
+
+    refute result.certificate_expired?
+  end
+
+  def test_to_h_returns_hash
+    result = EasyCodeSign::Verification::Result.new
+    result.file_path = "/path/to/file.gem"
+    result.file_type = :gem
+    result.valid = true
+
+    hash = result.to_h
+
+    assert_equal "/path/to/file.gem", hash[:file_path]
+    assert_equal :gem, hash[:file_type]
+    assert hash[:valid]
+    assert_kind_of Hash, hash[:checks]
+  end
+
+  def test_summary_returns_string
+    result = EasyCodeSign::Verification::Result.new
+    result.valid = true
+
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = OpenSSL::X509::Name.parse("/CN=Test Signer")
+    result.signer_certificate = cert
+    result.signer_name = "Test Signer"
+
+    summary = result.summary
+
+    assert_includes summary, "VALID"
+    assert_includes summary, "Test Signer"
+  end
+end
+
+class TrustStoreTest < Minitest::Test
+  def test_initializes_with_system_certs_by_default
+    store = EasyCodeSign::Verification::TrustStore.new
+
+    assert_instance_of OpenSSL::X509::Store, store.store
+  end
+
+  def test_initializes_without_system_certs
+    store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+
+    assert_instance_of OpenSSL::X509::Store, store.store
+  end
+
+  def test_add_certificate
+    store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+
+    # Create a self-signed certificate
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_self_signed_cert(key)
+
+    result = store.add_certificate(cert)
+
+    assert_same store, result # Returns self for chaining
+  end
+
+  def test_add_file_from_pem
+    store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_self_signed_cert(key)
+
+    temp_file = Tempfile.new(["cert", ".pem"])
+    temp_file.write(cert.to_pem)
+    temp_file.close
+
+    result = store.add_file(temp_file.path)
+
+    assert_same store, result
+  ensure
+    temp_file&.unlink
+  end
+
+  def test_verify_returns_hash
+    store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_self_signed_cert(key)
+    store.add_certificate(cert)
+
+    result = store.verify(cert)
+
+    assert_kind_of Hash, result
+    assert_includes result.keys, :trusted
+    assert_includes result.keys, :error
+  end
+
+  private
+
+  def create_self_signed_cert(key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = OpenSSL::X509::Name.parse("/CN=Test CA")
+    cert.issuer = cert.subject
+    cert.public_key = key.public_key
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 86_400 * 365
+    cert.sign(key, OpenSSL::Digest.new("SHA256"))
+    cert
+  end
+end
+
+class CertificateChainTest < Minitest::Test
+  def setup
+    @trust_store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+    @key = OpenSSL::PKey::RSA.new(2048)
+    @cert = create_valid_cert(@key)
+    @trust_store.add_certificate(@cert)
+  end
+
+  def test_validate_returns_result_object
+    validator = EasyCodeSign::Verification::CertificateChain.new(@trust_store)
+
+    result = validator.validate(@cert)
+
+    assert_instance_of EasyCodeSign::Verification::ChainValidationResult, result
+  end
+
+  def test_validates_self_signed_trusted_cert
+    validator = EasyCodeSign::Verification::CertificateChain.new(@trust_store)
+
+    result = validator.validate(@cert)
+
+    assert result.certificate_valid
+  end
+
+  def test_detects_expired_certificate
+    validator = EasyCodeSign::Verification::CertificateChain.new(@trust_store)
+
+    expired_key = OpenSSL::PKey::RSA.new(2048)
+    expired_cert = create_expired_cert(expired_key)
+
+    result = validator.validate(expired_cert)
+
+    refute result.certificate_valid
+    assert result.expired
+    assert_any_match(result.errors, /expired/i)
+  end
+
+  private
+
+  def create_valid_cert(key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = OpenSSL::X509::Name.parse("/CN=Test Cert")
+    cert.issuer = cert.subject
+    cert.public_key = key.public_key
+    cert.not_before = Time.now - 86_400
+    cert.not_after = Time.now + 86_400 * 365
+    cert.sign(key, OpenSSL::Digest.new("SHA256"))
+    cert
+  end
+
+  def create_expired_cert(key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 2
+    cert.subject = OpenSSL::X509::Name.parse("/CN=Expired Cert")
+    cert.issuer = cert.subject
+    cert.public_key = key.public_key
+    cert.not_before = Time.now - 86_400 * 365
+    cert.not_after = Time.now - 86_400 # Expired yesterday
+    cert.sign(key, OpenSSL::Digest.new("SHA256"))
+    cert
+  end
+
+  def assert_any_match(array, pattern)
+    assert array.any? { |item| item.match?(pattern) },
+           "Expected at least one item in #{array.inspect} to match #{pattern.inspect}"
+  end
+end
+
+class SignatureCheckerTest < Minitest::Test
+  def test_verify_raw_with_valid_signature
+    checker = EasyCodeSign::Verification::SignatureChecker.new
+
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_cert(key)
+    content = "test content to sign"
+    signature = key.sign(OpenSSL::Digest.new("SHA256"), content)
+
+    result = checker.verify_raw(signature, content, cert, algorithm: :sha256)
+
+    assert result.valid?
+    assert result.signature_valid
+  end
+
+  def test_verify_raw_with_invalid_signature
+    checker = EasyCodeSign::Verification::SignatureChecker.new
+
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_cert(key)
+    content = "test content to sign"
+    signature = "invalid signature data"
+
+    result = checker.verify_raw(signature, content, cert, algorithm: :sha256)
+
+    refute result.valid?
+    refute result.signature_valid
+  end
+
+  def test_verify_raw_with_tampered_content
+    checker = EasyCodeSign::Verification::SignatureChecker.new
+
+    key = OpenSSL::PKey::RSA.new(2048)
+    cert = create_cert(key)
+    content = "original content"
+    signature = key.sign(OpenSSL::Digest.new("SHA256"), content)
+
+    result = checker.verify_raw(signature, "tampered content", cert, algorithm: :sha256)
+
+    refute result.valid?
+  end
+
+  private
+
+  def create_cert(key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = OpenSSL::X509::Name.parse("/CN=Test")
+    cert.issuer = cert.subject
+    cert.public_key = key.public_key
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 86_400
+    cert.sign(key, OpenSSL::Digest.new("SHA256"))
+    cert
+  end
+end
+
+class VerifierTest < EasyCodeSignTest
+  def test_initializes_with_default_trust_store
+    verifier = EasyCodeSign::Verifier.new
+
+    assert_instance_of EasyCodeSign::Verification::TrustStore, verifier.trust_store
+  end
+
+  def test_initializes_with_custom_trust_store
+    custom_store = EasyCodeSign::Verification::TrustStore.new(use_system_certs: false)
+    verifier = EasyCodeSign::Verifier.new(trust_store: custom_store)
+
+    assert_same custom_store, verifier.trust_store
+  end
+
+  def test_verify_unsigned_zip_returns_error
+    temp_zip = Tempfile.new(["unsigned", ".zip"])
+    Zip::File.open(temp_zip.path, Zip::File::CREATE) do |zip|
+      zip.get_output_stream("test.txt") { |f| f.write("test") }
+    end
+
+    verifier = EasyCodeSign::Verifier.new
+    result = verifier.verify(temp_zip.path)
+
+    refute result.valid?
+    assert_any_match(result.errors, /not signed/i)
+  ensure
+    temp_zip&.close
+    temp_zip&.unlink
+  end
+
+  def test_verify_unsigned_gem_returns_error
+    temp_gem = Tempfile.new(["unsigned", ".gem"])
+    create_unsigned_gem(temp_gem.path)
+
+    verifier = EasyCodeSign::Verifier.new
+    result = verifier.verify(temp_gem.path)
+
+    refute result.valid?
+    assert_any_match(result.errors, /not signed/i)
+  ensure
+    temp_gem&.close
+    temp_gem&.unlink
+  end
+
+  private
+
+  def create_unsigned_gem(path)
+    File.open(path, "wb") do |io|
+      Gem::Package::TarWriter.new(io) do |tar|
+        tar.add_file_simple("data.tar.gz", 0o644, 4) { |f| f.write("data") }
+        tar.add_file_simple("metadata.gz", 0o644, 4) { |f| f.write("meta") }
+        tar.add_file_simple("checksums.yaml.gz", 0o644, 4) { |f| f.write("sums") }
+      end
+    end
+  end
+
+  def assert_any_match(array, pattern)
+    assert array.any? { |item| item.match?(pattern) },
+           "Expected at least one item in #{array.inspect} to match #{pattern.inspect}"
+  end
+end

metadata

@@ -0,0 +1,219 @@
+--- !ruby/object:Gem::Specification
+name: easy_code_sign
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- michail
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: hexapdf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: pkcs11
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+description: A Ruby gem for code signing operations using hardware tokens (HSM/smart
+  cards) via PKCS#11. Supports SafeNet eToken, RFC 3161 timestamping, PDF visible
+  signatures, and signature verification.
+email:
+- mpantel@aegean.gr
+executables:
+- easysign
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- Rakefile
+- exe/easysign
+- lib/easy_code_sign.rb
+- lib/easy_code_sign/cli.rb
+- lib/easy_code_sign/configuration.rb
+- lib/easy_code_sign/deferred_signing_request.rb
+- lib/easy_code_sign/errors.rb
+- lib/easy_code_sign/pdf/appearance_builder.rb
+- lib/easy_code_sign/pdf/timestamp_handler.rb
+- lib/easy_code_sign/providers/base.rb
+- lib/easy_code_sign/providers/pkcs11_base.rb
+- lib/easy_code_sign/providers/safenet.rb
+- lib/easy_code_sign/signable/base.rb
+- lib/easy_code_sign/signable/gem_file.rb
+- lib/easy_code_sign/signable/pdf_file.rb
+- lib/easy_code_sign/signable/zip_file.rb
+- lib/easy_code_sign/signer.rb
+- lib/easy_code_sign/timestamp/client.rb
+- lib/easy_code_sign/timestamp/request.rb
+- lib/easy_code_sign/timestamp/response.rb
+- lib/easy_code_sign/timestamp/verifier.rb
+- lib/easy_code_sign/verification/certificate_chain.rb
+- lib/easy_code_sign/verification/result.rb
+- lib/easy_code_sign/verification/signature_checker.rb
+- lib/easy_code_sign/verification/trust_store.rb
+- lib/easy_code_sign/verifier.rb
+- lib/easy_code_sign/version.rb
+- plugin/.gitignore
+- plugin/Gemfile
+- plugin/Gemfile.lock
+- plugin/README.md
+- plugin/Rakefile
+- plugin/docs/API_REFERENCE.md
+- plugin/docs/DEVELOPMENT.md
+- plugin/docs/INSTALLATION.md
+- plugin/native_host/build/Rakefile
+- plugin/native_host/install/com.easysign.host.json
+- plugin/native_host/install/install_chrome.sh
+- plugin/native_host/install/install_firefox.sh
+- plugin/native_host/src/easy_sign_host.rb
+- plugin/native_host/src/protocol.rb
+- plugin/native_host/src/signing_service.rb
+- plugin/native_host/test/native_host_test.rb
+- plugin/src/easy_sign/background.rb
+- plugin/src/easy_sign/content.rb
+- plugin/src/easy_sign/inject.rb
+- plugin/src/easy_sign/messaging.rb
+- plugin/src/easy_sign/popup.rb
+- plugin/templates/manifest.json
+- plugin/templates/popup.css
+- plugin/templates/popup.html
+- sig/easy_code_sign.rbs
+- test/easy_code_sign_test.rb
+- test/pdf_signable_test.rb
+- test/signable_test.rb
+- test/test_helper.rb
+- test/timestamp_test.rb
+- test/verification_test.rb
+homepage: https://github.com/mpantel/easy_code_sign
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/mpantel/easy_code_sign
+  source_code_uri: https://github.com/mpantel/easy_code_sign
+  changelog_uri: https://github.com/mpantel/easy_code_sign/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: Sign and verify Ruby gems, ZIP files, and PDFs using hardware security tokens
+test_files: []