From 31fa7380f559de2fd5ac13a720dd10306e3d8581 Mon Sep 17 00:00:00 2001
From: Patrick Robertson <robertson.patrick@gmail.com>
Date: Mon, 24 Mar 2025 16:00:40 +0400
Subject: [PATCH] Fix up unit tests + issue when working with self-signed certs

---
 .../timestamping_enricher.py                  |   7 +++++--
 tests/data/timestamping/self_signed.tsr       | Bin 1600 -> 2905 bytes
 tests/enrichers/test_timestamping_enricher.py |   2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
index 93d3ae8..385787b 100644
--- a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
+++ b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
@@ -83,6 +83,7 @@ class TimestampingEnricher(Enricher):
                 
                 # fail if there's any issue with the certificates, uses certifi list of trusted CAs or the user-defined `cert_authorities`
                 root_cert = self.verify_signed(signed, message)
+
                 if not root_cert:
                     if self.allow_selfsigned:
                         logger.warning(f"Allowing self-signed certificat from TSA {tsa_url=}")
@@ -168,7 +169,6 @@ class TimestampingEnricher(Enricher):
                 return certificate
             except Rfc3161VerificationError as e:
                 continue
-    
         return None
 
     def sign_data(self, tsa_url: str, bytes_data: bytes) -> TimeStampResponse:
@@ -216,8 +216,11 @@ class TimestampingEnricher(Enricher):
     def save_certificate(self, tsp_response: TimeStampResponse, verified_root_cert: x509.Certificate) -> list[Media]:
         # returns the leaf certificate URL, fails if not set
 
-        certificates = self.tst_certs(tsp_response) + [verified_root_cert]
+        certificates = self.tst_certs(tsp_response)
 
+        if verified_root_cert:
+            # add the verified root certificate (if there is one - self signed certs will have None here)
+            certificates += [verified_root_cert]
 
         cert_chain = []
         for i, cert in enumerate(certificates):
diff --git a/tests/data/timestamping/self_signed.tsr b/tests/data/timestamping/self_signed.tsr
index e7ffd8344a4476af45816719931c4864d7bc8b1f..f78400eeb4ee3f7932e84a78043f4b57b9cc3aae 100644
GIT binary patch
literal 2905
zcmd5;do)!09^ZS<HjFVwO^mlGq;kjn_KbI>m=QuFjY6fw$mB7Y3BB!6PF}6j(vedh
zSLj4k^i*6rsV+*PR!TzYp>B0kI6d6GJ3VyPy8qpE*4=CE{rkRtzwhV!TfguAeSnG{
z04N9y0TtbcN}HADnKr_J)sZ3<eJ){gLSPEU1Pm%|b($wErJx8!4FY%(mHs7?rURoz
z_-+)>26zSn!&Hsc_#Bvc)WG6DO+)9uk1vA?<;BCZtCj0$En!Z*+YCEn2hDeH-;yKD
zGOrkZOJ@wcZt81`9%fu>a2wF@zbxu$ndR}|V*e<0vUzJbf=;dKkJe}M0pAV?__i1(
zaK!9`0h)rq!!SIKXspkesc+f*tf5Gy-UL+Y^+2UoRz#GCAS@XKK~&EgO7r}MEu(}?
zXe7Wdb-)a=t`y7wu&I;)RE?!0^jpZ~b1?w8z{yd7VHh3INEelb2>n0r3884RsJ>o8
zFNp+W06OWVvrv(6fe5n)wxmj7afPlNKe3OO#ETG?xcm6Hio_g|J4fQ>?&~M!a5+Np
z5{WCvpL8ekfhn88w<T%=n7yr&01IX_1Q_7+?f96TgRLMKDF1}emJ3LPz!qQ*KO(dM
z(?|rGEF(A9MM5!0=)Oqe@9IP5{+@CIY+@Y@(*>+QU~5U15OBQ~`MGlv1waK)o48l7
z8bndSOybPInurR9p`Kpf{r*YLSLkNrtzAF6yfZZ5X!~y$&9*Fgf2Y()(mC`{Bi5RA
z^jOH0mm3=A+oX;M<aestDMOVPs^vb~)xpm#L>>R0b9N};Y34R<9p!cIoYc1N=UuZJ
z6I$>3Tivi+&<xWK2HA|!B@QkNr+x%u%(!a@`%uFW$<tI1^MZpNyR`y>Pjv(vb)gH+
z9bv9A8{5}E3HdED;@$!Em`^Wb0-xrv>o0sb-S7WTh36izIEP-G`^!nYZlg!anB-$T
z3y$j$eHg7qwz}qWgvoYshDw+CT;Jl&-5b-l9*G?tz8#%N_qZ<#4yai(RFP<Ca&}dl
z>A}lc1<dx7huDdNqX-3t;1U(Z8K@}s06$0Up$P}YPXN3c;FS}40xtw{R1Iq?tfr=p
zARydy4deyIKygqsBqc^E6bmV#P>4h5<kuBiPv~+e0g^%Cge9D?g%eR6$Q@FAjwI)j
zcKJ7tgoq{Aiu-I!gap9)TSi#VEK;eAbLR1siclMcEH+MR6Ctw+OCWX9!vlIGc1xm}
zP%WVObs|LrXp?p(X-6pt^&h~5)U{DPbc$-Tz1B64+RZCXbX2mVk47{H0^@)g={868
zfnLg#V|5QSY`j^Kui8^Yl(mQEja!Dj1Nbl*VTR(*0sa)=gGKm25&j@8>I=T4q$C1a
zLQH75Y^_Wg8f~*yPQpx(#>o{jr943<=Luac`QU475#pETA|#PJ@%f{{2!TtypHDn7
zl5Iu|iF{(Q=(P9=$zo(-GUb;n6BGY$QxYAc@pV&S7{%WMd=w;owE*O=tX~PXOi28f
z?}ZX*ktcvf9w`Js6aO#7znG#T?j&y{q-k_X;WXX4q*3iBLP6nFbK0wEK6dx->tGuw
zyI*fT$&R!RtLU9^ZHGm;dQ;MhP&cD!gB>A{^H(^Yn1Om-HpK?6NFz=e16M``){Ad+
zcryzXz5bnb<%M;_vUTOUw<<SeM!&XVs@iv07|h&c^i#{W=KUk_&9p+X-_1*j@XJNr
zj7|1hd+J=8PTrLSPPX+qCLC;7HU0uWot)pkM`YXRAhQ(*-L^_bCx<x62j*p~6m5(>
znd}44#D(ijI@ZCr=a!oXWsD7sVCki5#~Xb-#ua;azk6`Err+4hv`~H1+%m<K#{5Yh
z>OGsz`+2;*T5wU3U;QdX-{aYUX<F0b#bNp^&k<>|`jf>JJ;UsA@AU5B1I~T(R(JDm
zDSB&nO*i*mHCAM}(kSPpR&CH`y${_*gKsYNvh{eCSz+Bbqp6vmX9dRlbD0&Htj?;6
zjWPX$2I(V_k~i)l+plHY9nbG<cd}#X4?32A<mO%3^>d!a-(+29MtAY-uk+H(W-O0b
zo>x-bwhu}Fo$Ye#edNo2qX)i^=U7-a<kD)Ro<ICFucV5agYR@ni2qnKeMA;j*YvNO
zhf4J_0xuk5EUYO>5^S6lR(P{MsO7z1NkC!!@sS~ir1K+vB|TyKJYHglMP1nw`jdN&
ziVOpj>cvg3D7{U?%VLW!IET@={E!w*g`5E@q?X_n0MGkBxSszji<rQUityLK@Efn7
zQ8302WC<95_o-n_;=2EV%80*vQOpgU{|MWh=TMNgx97mVvRHZcr>GNKd+bB>qf^D>
zU7;Q}=0~UHIc`y`y<F1XkjRY5s!#bT7hB2oee=mGyY1J*i_}2)gzN|p3jj+9VkRcY
z%6CSG&L1_<<}^4Nx5^)y939dd>+9NF;FI61mRldGl9nKBLy>`IRa)@nUfI<$>5VfM
zOY;(Eix}tUBBdvSGRwu@x)Yn1AP1-lhPDrPy)`zB>4;o&i=+Fb@?mi~%}x8!wug7m
z8xB`yz}L?l$*n@?1{dRAr(fjN>GVXLx8_G^c!XNsyYx#%iZA!w!GwK5Go!6i%YM7K
zCf99g!=);TO<;hPQukbI+|F@0eA4~tAD*-P;*S)Zy-~X~x$oxRB@)!<>V{)RMIv*i
z!K*ttNxvGhWA)86x0tUoY1(wf^sMoUEJyaP&eEQ=r+T_tjEo&d=Ulc#o$9fOEqB)V
zSl;^hIDc@j$1<-3Uulyx_KtU!wA3bQtt_@P=P-TadYAOL!u{#nRb8{!rRpk~HfBch
gn&zO!!)(=Zd>-YFn<6p5U9ofd&Yoq=z{l(V1HAFyKL7v#

literal 1600
zcmbW1X;71A5XbYrZxRwn2*^1o5{VWGf=>wHQ0@k#BBIElI4BsRBnSwhq*$yZ#T3EH
zA&RzxNjNluNI)4u@F=K+dlV?(2q;mmQVEL6q0-oKDt_n}KR(a?XJ_}n`&%HyIs*e3
zLIE9uw*Mh^LPR1bE|%;c9gz%#*i~3ORpcXjON2CFi4eO?{iO{<2#o}YSbVt12Vx^=
z7{Z`{pa84&Nr~5i&=SF~Xh8-L`~pJ|7NUafOZ5l_g?3+vzkm|QNoO`zBy#bsET^HP
zCf%_kl<c%4x!<0kl+C=>A}XgFp0*#HA>O;~sl){|F$Y?yo1Qcd&tjKR+9F|{#GrQ_
z$T3Id+KX1CX%BaqG07I#G60=MquJTfY#l>kJnD_($!9t1YQrQ#!~+Ns7a)Y!NDvr;
zVO><3@7v{&#oba;k*TbTv$O7FiJw}4wA3xx(@cOd770RY5_I`|z73CaAa+0JAe(2y
zii@Ec1H+Fogh296V6(}AJ3Poc*a=DO1hCSGNOJ@XIso<z28|wSM5NP~Jij`x5Hep{
zqS|#t2$4`g2x-DX2twtU<OFfP+nuAoV)A5rldE-e(P2!8b}eN**2|@?LO7&y&aRg%
z7Ff!sMAoy9(oE*tqiQ6o*Ua<+*>P>1yVQX*VuPr?g*P^gdWWIoc+jM1b(#Fxfo(?J
zITHcv9%XYn+{;ZBxC<JP!?g}+Y};SB{>b(Rz2Zxkd$}PG?lCQ-0eX~Ig~wk#G4}|+
zUeiN4d^^)w>YVtn%9JQoQl%|AJigF(x9jQyY5T(F@6>K*s(LE5OXX#uIC9Vjx;I_r
zMZlfkOY*Dmb5#s#Ql@K5B8wa=E~OS1dRevx`ri*#bWdHGi8=O8qp2bxkKf2-;Lmh&
ze;kwTE^Sq0=)wquf{MHW6KJU?V@g7!5m+Pj-!Yl4fuKb+0cc`zR#*sw(Liv(^rJ`{
zZHU&d&fXQwis*0TraY|E3+~d~oSHtk)M@oHsGWvT&Q0m=CDuW~q2(<$devhduV`63
z-8pUpN@qhe;uKf7s_$O-7)yM|!In2WcH(()wYkF4PaL1_+w#I_F1M_3yHq!FwMIbk
z9=n<z(}+wLH=o5MPfBG+7V9RP!9n3T7Mr?y-gIB1E3c41)cb`$mE^}+vpZtuwvFQN
zv+DP(Ny#6uq0Xl-8p>(|izFgO4NKm5_3~r0l$~qGeh^oh()$m|b$&WXwch3Nl2L=j
z-p;+#JifW@G1hH(ADe&orOax<aFH{SDX#Q(I31L;Z!!68-bMqfG|Y*7DUUc{)$f>T
zY<Ak6Rg>{eXdkz!Z^XswRwi%UwPAFwzN^=hCWLj>01?$p1K+P*<NpC~$t{rx&H|JF
zP{boN;uog{toR(m&`3taFPH~bOT;jNwgRXj2I?V?;Zn4-PRSJIJ!i_AH}6ylMD2ZG
z{pVC@nmL;Mb3s}!Up5@&vA<qGHg6?xIm2FlC9yYD(a8X3$-KODE7bg<g%B!k;3V<N
zk;6CbXSmUW4FbdL<=s`feu?K5-l^A>8DzfO{n+@q<1|Gj2sd$mKRNPbYjBCY#CRfY
zxGpFuecera&e_^%!iN?M!5?7_TNZOWwe*#zCqrh<icW?74mJi_43!d{3_6Q^%}kQA
z=Z8Z`U01V2tx@6J82NR19$b|-J2kOfWvQRST&QhiRy*X|dX6tUH)y=84gZ_bs;T6W
z!oR(Ite(cLZ<hE|;}roj8AC6Q`iGtCKUQ${EIsN-*`bRw4ipdZR-~AL=1P0x3XlQ)
we3iq>TYh>oc5aak`$xApeJB^@dG}CXVB+olT361ye4qDbx|Q*~qcivUKVj)=Q2+n{

diff --git a/tests/enrichers/test_timestamping_enricher.py b/tests/enrichers/test_timestamping_enricher.py
index 22cab06..9e67ffd 100644
--- a/tests/enrichers/test_timestamping_enricher.py
+++ b/tests/enrichers/test_timestamping_enricher.py
@@ -73,7 +73,7 @@ def test_full_enriching_selfsigned(setup_module, sample_media, mocker, selfsigne
     tsp.allow_selfsigned = True
     tsp.enrich(metadata)
 
-    assert len(metadata.media)
+    assert len(metadata.media) == 2
 
 
 def test_full_enriching(setup_module, sample_media, mocker, timestamp_response, filehash):