From 4c1c8953ca77c843a72508a4c4c0eef994491ca8 Mon Sep 17 00:00:00 2001
From: Patrick Robertson <robertson.patrick@gmail.com>
Date: Wed, 29 Jan 2025 12:20:52 +0100
Subject: [PATCH] Add unit tests for timestamping_enricher

---
 .../timestamping_enricher.py                  |  25 +++++++----
 tests/data/timestamp_token_digicert_com.crt   | Bin 0 -> 5964 bytes
 tests/enrichers/test_timestamping_enricher.py |  41 ++++++++++++++++++
 3 files changed, 58 insertions(+), 8 deletions(-)
 create mode 100644 tests/data/timestamp_token_digicert_com.crt
 create mode 100644 tests/enrichers/test_timestamping_enricher.py

diff --git a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
index a7a0aee..4d5dd20 100644
--- a/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
+++ b/src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py
@@ -6,11 +6,11 @@ from importlib.metadata import version
 from asn1crypto.cms import ContentInfo
 from certvalidator import CertificateValidator, ValidationContext
 from asn1crypto import pem
+from asn1crypto.core import Asn1Value
 import certifi
 
 from auto_archiver.core import Enricher
 from auto_archiver.core import Metadata, ArchivingContext, Media
-from auto_archiver.core import Extractor
 
 
 class TimestampingEnricher(Enricher):
@@ -45,13 +45,10 @@ class TimestampingEnricher(Enricher):
         from slugify import slugify
         for tsa_url in self.tsa_urls:
             try:
-                signing_settings = SigningSettings(tsp_server=tsa_url, digest_algorithm=DigestAlgorithm.SHA256)
-                signer = TSPSigner()
                 message = bytes(data_to_sign, encoding='utf8')
-                # send TSQ and get TSR from the TSA server
-                signed = signer.sign(message=message, signing_settings=signing_settings)
+                signed = self.sign_data(tsa_url, message)
                 # fail if there's any issue with the certificates, uses certifi list of trusted CAs
-                TSPVerifier(certifi.where()).verify(signed, message=message)
+                self.verify_signed(signed, message)
                 # download and verify timestamping certificate
                 cert_chain = self.download_and_verify_certificate(signed)
                 # continue with saving the timestamp token
@@ -72,9 +69,22 @@ class TimestampingEnricher(Enricher):
         else:
             logger.warning(f"No successful timestamps for {url=}")
 
+    def verify_signed(self, signed: bytes, message: bytes) -> None:
+        verifier = TSPVerifier(certifi.where())
+        verifier.verify(signed, message=message)
+
+    def sign_data(self, tsa_url: str, bytes_data: bytes) -> bytes:
+        signing_settings = SigningSettings(tsp_server=tsa_url, digest_algorithm=DigestAlgorithm.SHA256)
+        signer = TSPSigner()
+        # send TSQ and get TSR from the TSA server
+        return signer.sign(message=bytes_data, signing_settings=signing_settings)
+    
+    def load_tst_certs(self, signed: bytes) -> list[Asn1Value]:
+        return ContentInfo.load(signed)["content"]["certificates"]
+    
     def download_and_verify_certificate(self, signed: bytes) -> list[Media]:
         # returns the leaf certificate URL, fails if not set
-        tst = ContentInfo.load(signed)
+        certificates = self.load_tst_certs(signed)
 
         trust_roots = []
         with open(certifi.where(), 'rb') as f:
@@ -82,7 +92,6 @@ class TimestampingEnricher(Enricher):
                 trust_roots.append(der_bytes)
         context = ValidationContext(trust_roots=trust_roots)
 
-        certificates = tst["content"]["certificates"]
         first_cert = certificates[0].dump()
         intermediate_certs = []
         for i in range(1, len(certificates)): # cannot use list comprehension [1:]
diff --git a/tests/data/timestamp_token_digicert_com.crt b/tests/data/timestamp_token_digicert_com.crt
new file mode 100644
index 0000000000000000000000000000000000000000..592edf4ae0e96057379dd362f8671e6385a8a8d4
GIT binary patch
literal 5964
zcmchbc|6qX+sDmfmwn4Rb{flf#!l9;hGgGDvea0z%tEqGvZPX3LSZHfkx)@~4$2nU
zMI>9Ihzg0GQ8`EFcb?~*-|Kn3&ipmkeP8!=U-!)Y`M$r`1rWH5sAvzw8pW>d15tyC
z1TIy8z@-QVK@d#9J}TN{u|^<I2owyWqyVC`sOW!s(lUdf#ORCA=<`5y92f-p;TXH+
zOAP`Le_98H1t+sr&z96$UKkm7@1TdT;cDC)`HUG(9L~(?$6e@A0kcpHr|I)d2&IQi
z-y$r9o`1~4&4dJyiU0zsf|N%pA`~3KFq8<zuyzrAx$<ZYiNV7h<vNnhWs~u?G?%Tx
zTi_&vACbTY0SHtz00Ejugn&U{Ff)CLSB+y;WNKXN#yoUN9=em+&l7;?$tQA0&;zto
z5F02J8`#DQ!3A*a7<6omdgv2qlxGlD8fJXTT^6AZsP0Ta*pRyuFzX;32J7hoGgN?C
zTInbNs!A{`BORoo63iOy=V^s?^9w+qIsrrJ00Lb5kmPx!67c=w$hA*i5rIG|BIOlT
z6;&Mp-CvVn0hoRyL9@FT0tN{D*q&>5==&y^olRim-$?-=fQ9#-jr?yx2w)}(@;Dus
z00vRid1G=urwSFN0aZ?Zvktir-)vnG<Zg~v_s*EQ)wo3mz)-ApG|gCp;QGXcyNH?7
ze#Z80@DlmNo^1M_&{RV^c@y=1)D8V5O&VSFCKj*WF1bWve1FMLc0sJ=#g^_prIYzm
zkiPn@h|6rR_|WE~ZN$u|(r?^V?EVp!;ck;tq0a>I^U|hgZe_oyb(ptsNUAfn`p}g*
z3VUGR9v0J4)jMd>Bk5>YcQH0(Z4tq37HJVO7#4Fj{Y?DK(wFt2o_j3kjEW<QmCcY(
zlAK5;CF!omN3_@<k@DBZtHK5B-WqWwg{s<z7+Nn~q>_TD8{e`N#EwGiS>A+keWFD3
z;JQ=t^(L2%axUv|;v(RX4|)Up;Dz?dz7HLQ3##gbL|?KZ5Ai6v3U$CB3E_c{4<15e
zaKj-in=K`&W?2g=7?*^E;SCp&0ess=j<ZOsTVd;2zPBRNB;sV^O?UqB<9=)C*~O<W
z*-U+u(@~?EG)qnB25&39kmMzyw^U;IY)YD^aOd8%uxI;v-#u2*mSwry)-Dm~lqAx?
z6EA*KJosgoA@9q9{6ga?7d`!kYF}#x{TlD$7HuW*dxM9S=9G}^or%gqin{Yh4pGcI
zy?9q^M<e*~9`ERZ<8Q;0I=3Wj-uiNyOQd$BMT(nra%S{&++Z1sP6*o0LdC{N&TN1o
zAPP_}0h9<3Kyd&g`8M%0fk5A&Pzabh3Sii=*>-F&Kml;>SYkUC13*Vb1E&H}Qc^=`
z0NBnr47wlS0%)kHPDC?+$nNxel`pvCAp+$FIHTCBI7j@<&dFh<@R@SB3*NA#?5F+!
z|BeGAloQIHV<!y>W|ZW(>~+iC<-Pe;K|Ik3aNL;|gjxX>fH~2OXcB9D5{nH`laq4~
z@|BnMAZyZ{tVvmSe?PfhA^en~p~6oQ{?OoF38Hjl$;*N0%ezMbfuPZ6f#@hebaw;*
z#d81L$=@9l@XJns{qJ7jSkv8n+;$Sd{NniEri9%qSn|V&ELaeQ#$5qHe1_AMN(`&v
z2<pmbmeK2nY51Q@ns@h&oryLPcPR?#O}ujLwEJeWFv<47xTI9m{Us_d=MtM}f1Ra5
z4TT%l*9e|)hFnWsQZhdMN$J-*ncKI_{0`Wv_fv6Ece2So5QyuVcfpl5bsp{Sh~V(P
zKUZ_EsL&AxKXhRQ>=yU!4udugcB%bJT(O+!fEpp>v|2Sm%bFeh$+9}(fb|@$?S&D;
z6bt{a-N8#q+-7gNtkzn5hHb@YWjp=qsOzr->a$U<94Xgvh16p2qOB3}`>kv)ybUWI
zJ<~T2B{oKw7oi`t>`Q%PX;|I4E)!foQR^{7*Y(jF6jT1xIK856KCS25e$THV&pxJg
z+029LJzj<S-<G{@u_O$?Rgk5Zx*#$mPhHfIX8zU3sXE|%YM(^T>)8zUX|qs$m^St;
zZlw625RDsTv)R`H8t<HWiuYV12ZU7N2+?;dpl9Hl&osyNox9wXn5xtnM6!H#iZ9sU
z4G**T`;7x4PH~2s=ZY-3-YH$tosQ^Xxzrhx7gWqu{kSvFsWOvpCc2b!o$vJ(jw54t
z)A<|o;tLvH(>zjPn(np*mkk?1ac`*=uv^#gD5%!8=(32>$W<z3LM7iewth>|BUI}|
zhJoyA0P5irYW|>`z8zX^fs^|%9>f*?_7EGeNi~}Da8t2b9+_VyWPYXn<QKJ)a;2zs
z*sx*omZaAK7pFg68Q}P@=->d@$O<C!i(ywDJNQD76}vM`&&C`a9Q@0jMF;^qnk9pc
z`}Y;QV6*i1$CByx9bZU59x49^zLd!(au;9!3Pb;nZ>_P4RL1ukHG+&SY@UcgnpdtU
z7hba<4fdXWo^5*5k67AycEj;A3rUYd*EKJG_2ifE)f)-)ky(P-O!9(9*yzPEX@2W=
z1>o>4)PtB8EFUms_us>#V$KV5Pb|F9Xy%G6+7H*%9XoO9t%b(&pl$!0q|8EJ*+bl%
zAeHCE6sf+EMfAkT<v0V1GoyMs31ea2cA?A4r*oW(JKn^2Jg{8B8?L#X-T%_{fi=C*
z$y3Tg)!N0b<>QCKpM6qgJ+Z`i%iVYSb_;)((!Qeuv%Ce39$4-ChM<<J!-8cG?afYa
z4<%uei=|ax-!d9pE=8~v+DWBJ$bO2uopcz_VIv-pE*?qbF@&L}Q0`G@aHk~1E~l%h
zu-yOrIeS*!X)$_Sn0<tB;K|i`;`o&2P0W`$K}X+|70Xl>xII=|vIv8EHgSl==cCdh
zwc36s4WoN9r^4WVmRjxr<W>Fh&4cZ_W86lO><ZnzrbSEFHMSWac^vqHlN8l?r&~{X
z!^_z6$VZD+C1bNhSg*95;%Runs{XMWk&E_gV{YTg+o}y4<-je|q51Sf_L_Z=`0e{i
zeJ&<=R*U4e3k>Q`=Y<Oz#c4L!nOPy>t|HYQQ|_;BPilT{!j@|Z(Bc=1oDFcVkLB9a
zf+Q&zW31mln|FTd0<hK^WIyb~KkjAp$zbS}f6!I7%Qt5--y8te9gckG84W;11{wLm
zx(7XfNv6H%S{#}p^aeV6m`=!^(3-1CFX3Y{|CO1b*zZc?7yA<;gLhd$W{eMj{)dFo
z*<A&IV-^1k!t5y2P=QQ0EP&cMu^{vypa!TAm52(l$lW-9N6z1a`2GXH|N8p;omk-x
zml~2Q{L>5dgh3HrgTq3)lcn6U%w}xefYq~l?#(AhoL`$rZ3dj*cSj2S72Vj)Pd%@B
z?CCK5%u%Nyzql_kFfj$hiLMIPH2>x!rpNgiXb1(IwS~6b9GHtBVX<eaXf4Cw%^)oM
z(6=J<^U|S3=ekg??~Ya6F~8!KEuH=9eDTcIg&Gg>INz(aSz$c^bYV*cH8}Gs$F)M{
za_9MPlGX{!1Lp(ro-aC=gK|Z_G)NHiN-`vPi$n#)8!N{TEPT!`JDm}oYa3fcr{6Zw
ze33YpzPWijE9hSHlg38xz>!wADB9+VoUXVy(Q5Nt<Hx~XS3U&Ym^T4i<|{`eTNSJG
z(-<?Qbg72E{3hm}At9}y<&*!x>o=V)^9t?jLPFX-m29G2WBeg%)7f`t6audfiTg~e
zV2W;o%xksOL++a1-E2-h^N!9{UNuf9BvfVo#^g(pEq=+qCmU}*q`Pjyha*-DvT)J@
z64K(M{v2ln_9rSmO75Rs;mUAm4_H>NPp6oGkzf5bkDcHoc~!l%X;71jElnrF-=*qQ
zsts_YBOV;5WumK%9%0+A&wIXVH&O%rLKsI*KogcJx}2LfdPE{A=%?{u@sVXuyzXtO
zI9fyaY$Q+KIi|1aX`gMZ;et_L8dezLGlQFja(Wzx=GYkdN0n80Nbt|^2E)Dr1j>tK
zV&Q%gi}5=5rHvk$xuww~uW7Wo9rqH8fn0HU{(p%j3JCuo7Vq!G(!pSGLF7`*SP%9c
zT0d(pB%ngBMSrik5C{ah2>V%c{Ttx?J7(3-UdEgpuby^3bPx~*(DI8-`C_tdLK-XQ
zhaH+GrSdiGi}0CUC1-eJ_B8{7tGszCoC~(C*Zla4%1^Jfv-D284pJVpWU>@&&E~ij
zQI}I_$LU}bbnj$xKvQ`YF2fsxOnJ_%$1FQRSf!4c#j5)SzLsI&eGeOGgYmmd$vj(h
zIs7zvUC8aa!UAQh%c2uc%|csuSFwV&Ygwq*`{1WW1zvV`Io9@<7~qxW`M`+n`}Q-=
zQ+M0UU1k*L5FIa)UB)gYMZKuFlCFLE^lu?gD$1H4dULBlm@f|ZE9c2lhR1&*Xfj_3
zD6%2wAcsbwm;<M-fWm}K`)f*gAvos{uMstbUZ%WuJ<X7#abDAGA@Rh^Jc$~Tx#~j}
zd#*LnqXtPHYmMl5d^%pk!C4m{mv9XoYP9_7CM&O3CboUtL|~55y=1n3>FQOrY>hFB
zX??MTicG!z@Q8+#2fc273-Ti^6DClK&Tzie-;&mZ%F9_Qt0PwiE(A#H9J^EI&aIcq
zgFhbeIjVH?jmK^I=Lyu4wUx7|Jnl!ggF%x_DGWmV<<?SS3BEIomKKKCI`QHP9o%?m
zvFk;xwwgX27FMSj<|7M;mi8b{VcLl>Q=FFjqL6Dd%)-aNtSC0oylGJ1H4FBYB+$~3
zbh9jiPCVn&G+Hj5U*^+DVLAT{?=G{{$jnmuUiAN979{{7Giwj9{*p&~fu+B2^WMj+
z9R!4oMPh!wP}Zv7Q>Om_*6Cf!klEx1`20gQp>|i1*`&P7l>e*x`6)(Yy&Wljuf4E<
z{tr570%SfB$$W}c*p2kR(&<0L_yR0DVPH@?fJ}8NDETYJpPnud0tiGAK&(d{wV6|K
zCFWvzH7YoV*6Qu3Ycq>Uang(DTnc%rh1cVF(AL85^5TR2YI)c{vK<PQlc`i$`uHvC
z@j7X3C1_l<#uD=MaL<A9FEX~>8z0w-fzZsva+m(@=P14FD4~V4Ad=C8jE*exd@2ZA
zu!LU!T;v;vg5`QS`rGp>3I`Y0AWz~7dQG+WD;jvCtxF$~Y%eY54QRY68{6U={uu0d
z)cS(|66uJ>S3K>>m>mE1QP@SrV|-vp2duQ%p2(=}-jXidSnlx2#;04N$QS?2Uqt3(
zM4-2bkMK9vN7gbD5yNUD%N22HTTai97IXh*mV>DT73SF8aglueI0Zp~-~j?8h}@L}
zg8!8c*I)P9_H+)3(a!;%-#c%#5X8P;8i@ekA9IulCUU!MZ{rVu?{Nk*Aou_tfZSn#
zvXAzidw+biSM$vD=Rl()aiRmUPWph{AEBTKVJK`W|4W*MqWr5OfR0&d{dGG<>OF6@
zG?JcbLDlH64+j^Zyf?ZWLJ|-M$cTZ$@c5j96?Zv76up`VP%>zX+aAJ<QVx1Prc6#p
zC1sB8y?W$!8<YU1Fuj~OnLoN>&0^EuXn(E}+b8DD@i0ZWDPUCdBs(J~MQhd+Ax@f+
zeoj1KD<f<00uOHsheJ4z@c4~}d_Kwycbn!ff`hvBht)ik9$tNd>^F8~$2q--khCbX
zMrY_MN{P)ZmpjvcIn>GqIv#Eit}D>%b`x#i`*HXi&xf0twq@tX;5gKJrvD=YiX)&|
ziMq;;49dGUxD3bIPwmJqo`c7-n^qUEN|tflsgr2$T}s(*a<#-fD2eLa$|l_{UuWn=
z80DtHksM2{OWWMudbNyGc4J@_gkzn=M|37!xzdEXRfFAi;J0zJypG(%;WUizHIrS@
zQz;^lX!Xr)i=ztm8~FW??D!gC^4$xcuBmy-Za;Ee*u3s!D6?LUPK_#o<v^)Tu99xK
zew&OrbvpF(dW)j)8z;XGt)_;s3NhlVf@Z%p22YTwT<k)vVLBV5y5^mAxcSJjN~`yQ
z$=l8J&kZo_-R-5VDc2efiWb%TuhNk=14j-8sdeE--64~OH^)k_$^I)NYGb#3@4fGz
zKdm}+m*3R9zC@#|JkYxerqe=K)Zd+N6VX;BDBbB-9qE>vt3I`1&Pr#=VevwBV|WgT
zzZ2(huQlE`;H1X22~W<m2E1+J<H!3qf9r2e^{MBbDO09yvl^b}e?Gt*d8W|D1*hs%
Omw3OCN}2hU%l`m)5jkc6

literal 0
HcmV?d00001

diff --git a/tests/enrichers/test_timestamping_enricher.py b/tests/enrichers/test_timestamping_enricher.py
new file mode 100644
index 0000000..3c978f0
--- /dev/null
+++ b/tests/enrichers/test_timestamping_enricher.py
@@ -0,0 +1,41 @@
+import pytest
+from auto_archiver.modules.timestamping_enricher.timestamping_enricher import TimestampingEnricher
+
+
+@pytest.fixture
+def digicert():
+    with open("tests/data/timestamp_token_digicert_com.crt", "rb") as f:
+        return f.read()
+
+@pytest.mark.download
+def test_sign_data(setup_module):
+    tsa_url = "http://timestamp.digicert.com"
+    tsp: TimestampingEnricher = setup_module("timestamping_enricher")
+    data = b"4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef"
+    result: bytes = tsp.sign_data(tsa_url, data)
+    assert isinstance(result, bytes)
+
+    try:
+        tsp.verify_signed(result, data)
+    except Exception as e:
+        pytest.fail(f"Verification failed: {e}")
+
+def test_tsp_enricher_download_syndication(setup_module, digicert):
+    tsp: TimestampingEnricher = setup_module("timestamping_enricher")
+    try:
+        cert_chain = tsp.download_and_verify_certificate(digicert)
+        assert len(cert_chain) == 3
+        assert cert_chain[0].filename == "/var/folders/h7/g67pz_kx67q7qxzzrrhvry5r0000gn/T/74515005589773707779.crt"
+        assert cert_chain[1].filename == "/var/folders/h7/g67pz_kx67q7qxzzrrhvry5r0000gn/T/95861100433808324400.crt"
+        assert cert_chain[2].filename == "/var/folders/h7/g67pz_kx67q7qxzzrrhvry5r0000gn/T/15527051335772373346.crt"
+    except Exception as e:
+        pytest.fail(f"Verification failed: {e}")
+
+
+def test_tst_cert_valid(setup_module, digicert):
+    tsp: TimestampingEnricher = setup_module("timestamping_enricher")
+    
+    try:
+        tsp.verify_signed(digicert, b"4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef")
+    except Exception as e:
+        pytest.fail(f"Verification failed: {e}") 
\ No newline at end of file