Cryptosign backend using gpgme (gpgsm) for all your signature needs

author: Sune Vuorela <sune@vuorela.dk> 2023-04-11 13:39:36 +0200
committer: Sune Vuorela <sune@vuorela.dk> 2023-05-21 15:07:41 +0200
commit: 4efd2f9f8175cb5d448809b56f67524df6e220aa (patch)
tree: 63b35dd0f8378c5c009a5ab8368dd5c1bf14adfa
parent: 9065bd7d5fb9f9554235eafe8a67d0f67ea25faf (diff)
8 files changed, 557 insertions, 22 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a7438542..8b8cd554 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -377,9 +377,6 @@ if (_signing_backends_count GREATER 0)
     # This means that the order we append them to the list is significant
     list(GET SIGNATURE_BACKENDS 0 DEFAULT_SIGNATURE_BACKEND)
   endif()
-  if (NOT DEFAULT_SIGNATURE_BACKEND IN_LIST SIGNATURE_BACKENDS)
-    message(FATAL_ERROR "default signature backend must be one of ${SIGNATURE_BACKENDS}, was ${DEFAULT_SIGNATURE_BACKEND}")
-  endif()
   set(ENABLE_SIGNATURES ON)
 endif()
 if (NOT DEFAULT_SIGNATURE_BACKEND)
@@ -559,6 +556,12 @@ if (ENABLE_NSS3)
   )
   set(poppler_LIBS ${poppler_LIBS} PkgConfig::NSS3)
 endif()
+if (ENABLE_GPGME)
+  set(poppler_SRCS ${poppler_SRCS}
+    poppler/GPGMECryptoSignBackend.cc
+  )
+  set(poppler_LIBS ${poppler_LIBS} Gpgmepp)
+endif()
 if (OpenJPEG_FOUND)
   set(poppler_SRCS ${poppler_SRCS}
     poppler/JPEG2000Stream.cc
diff --git a/config.h.cmake b/config.h.cmake
index 4d6ef551..10abff6e 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -27,6 +27,9 @@
 /* Build against libnss3 for digital signature validation */
 #cmakedefine ENABLE_NSS3 1
 
+/* Build against libgpgme for digital signature validation */
+#cmakedefine ENABLE_GPGME 1
+
 /* Signatures enabled */
 #cmakedefine ENABLE_SIGNATURES 1
 
diff --git a/poppler/CryptoSignBackend.cc b/poppler/CryptoSignBackend.cc
index 1bd28363..324143db 100644
--- a/poppler/CryptoSignBackend.cc
+++ b/poppler/CryptoSignBackend.cc
@@ -8,6 +8,9 @@
 //========================================================================
 #include "CryptoSignBackend.h"
 #include "config.h"
+#ifdef ENABLE_GPGME
+#    include "GPGMECryptoSignBackend.h"
+#endif
 #ifdef ENABLE_NSS3
 #    include "SignatureHandler.h"
 #endif
@@ -31,6 +34,9 @@ std::optional<CryptoSign::Backend::Type> Factory::typeFromString(std::string_vie
     if (string.empty()) {
         return std::nullopt;
     }
+    if ("GPG" == string) {
+        return Backend::Type::GPGME;
+    }
     if ("NSS" == string) {
         return Backend::Type::NSS3;
     }
@@ -59,6 +65,11 @@ static std::vector<Backend::Type> createAvailableBackends()
 #ifdef ENABLE_NSS3
     backends.push_back(Backend::Type::NSS3);
 #endif
+#ifdef ENABLE_GPGME
+    if (GpgSignatureBackend::hasSufficientVersion()) {
+        backends.push_back(Backend::Type::GPGME);
+    }
+#endif
     return backends;
 }
 std::vector<Backend::Type> Factory::getAvailable()
@@ -83,6 +94,13 @@ std::unique_ptr<CryptoSign::Backend> CryptoSign::Factory::create(Backend::Type b
 #else
         return nullptr;
 #endif
+    case Backend::Type::GPGME: {
+#ifdef ENABLE_GPGME
+        return std::make_unique<GpgSignatureBackend>();
+#else
+        return nullptr;
+#endif
+    }
     }
     return nullptr;
 }
diff --git a/poppler/CryptoSignBackend.h b/poppler/CryptoSignBackend.h
index a763e27c..9c79a24d 100644
--- a/poppler/CryptoSignBackend.h
+++ b/poppler/CryptoSignBackend.h
@@ -63,7 +63,8 @@ class Backend
 public:
     enum class Type
     {
-        NSS3
+        NSS3,
+        GPGME
     };
     virtual std::unique_ptr<VerificationInterface> createVerificationHandler(std::vector<unsigned char> &&pkcs7) = 0;
     virtual std::unique_ptr<SigningInterface> createSigningHandler(const std::string &certID, HashAlgorithm digestAlgTag) = 0;
diff --git a/poppler/GPGMECryptoSignBackend.cc b/poppler/GPGMECryptoSignBackend.cc
new file mode 100644
index 00000000..1b7f1d5c
--- /dev/null
+++ b/poppler/GPGMECryptoSignBackend.cc
@@ -0,0 +1,387 @@
+//========================================================================
+//
+// GPGMECryptoSignBackend.cc
+//
+// This file is licensed under the GPLv2 or later
+//
+// Copyright 2023 g10 Code GmbH, Author: Sune Stolborg Vuorela <sune@vuorela.dk>
+//========================================================================
+#include "GPGMECryptoSignBackend.h"
+#include "DistinguishedNameParser.h"
+#include <gpgme.h>
+#include <gpgme++/key.h>
+#include <gpgme++/gpgmepp_version.h>
+#include <gpgme++/signingresult.h>
+#include <gpgme++/engineinfo.h>
+
+bool GpgSignatureBackend::hasSufficientVersion()
+{
+    // gpg 2.4.0 does not support padded signatures.
+    // Most gpg signatures are padded. This is fixed for 2.4.1
+    // gpg 2.4.0 does not support generating signatures
+    // with definite lengths. This is also fixed for 2.4.1.
+    return GpgME::engineInfo(GpgME::GpgSMEngine).engineVersion() > "2.4.0";
+}
+
+/// GPGME helper methods
+
+// gpgme++'s string-like functions returns char pointers that can be nullptr
+// Creating std::string from nullptr is, depending on c++ standards versions
+// either undefined behavior or illegal, so we need a helper.
+
+static std::string fromCharPtr(const char *data)
+{
+    if (data) {
+        return std::string { data };
+    }
+    return {};
+}
+
+static bool isSuccess(const GpgME::Error &err)
+{
+    if (err) {
+        return false;
+    }
+    if (err.isCanceled()) {
+        return false;
+    }
+    return true;
+}
+
+template<typename Result>
+static bool isValidResult(const Result &result)
+{
+    return isSuccess(result.error());
+}
+
+template<typename Result>
+static bool hasValidResult(const std::optional<Result> &result)
+{
+    if (!result) {
+        return false;
+    }
+    return isValidResult(result.value());
+}
+
+static std::optional<GpgME::Signature> getSignature(const GpgME::VerificationResult &result, size_t signatureNumber)
+{
+    if (result.numSignatures() > signatureNumber) {
+        return result.signature(signatureNumber);
+    }
+    return std::nullopt;
+}
+
+static X509CertificateInfo::Validity getValidityFromSubkey(const GpgME::Subkey &key)
+{
+    X509CertificateInfo::Validity validity;
+    validity.notBefore = key.creationTime();
+    validity.notAfter = key.expirationTime();
+    return validity;
+}
+
+static X509CertificateInfo::EntityInfo getEntityInfoFromKey(std::string_view dnString)
+{
+    const auto dn = DN::parseString(dnString);
+    X509CertificateInfo::EntityInfo info;
+    info.commonName = DN::FindFirstValue(dn, "CN").value_or(std::string {});
+    info.organization = DN::FindFirstValue(dn, "O").value_or(std::string {});
+    info.email = DN::FindFirstValue(dn, "EMAIL").value_or(std::string {});
+    info.distinguishedName = std::string { dnString };
+    return info;
+}
+
+static std::unique_ptr<X509CertificateInfo> getCertificateInfoFromKey(const GpgME::Key &key)
+{
+    auto certificateInfo = std::make_unique<X509CertificateInfo>();
+    certificateInfo->setIssuerInfo(getEntityInfoFromKey(fromCharPtr(key.issuerName())));
+    certificateInfo->setSerialNumber(GooString { DN::detail::parseHexString(fromCharPtr(key.issuerSerial())).value_or("") });
+    auto subjectInfo = getEntityInfoFromKey(fromCharPtr(key.userID(0).id()));
+    if (subjectInfo.email.empty()) {
+        subjectInfo.email = fromCharPtr(key.userID(1).email());
+    }
+    certificateInfo->setSubjectInfo(std::move(subjectInfo));
+    certificateInfo->setValidity(getValidityFromSubkey(key.subkey(0)));
+    certificateInfo->setNickName(GooString(fromCharPtr(key.primaryFingerprint())));
+    X509CertificateInfo::PublicKeyInfo pkInfo;
+    pkInfo.publicKeyStrength = key.subkey(0).length();
+    switch (key.subkey(0).publicKeyAlgorithm()) {
+    case GpgME::Subkey::AlgoDSA:
+        pkInfo.publicKeyType = DSAKEY;
+        break;
+    case GpgME::Subkey::AlgoECC:
+    case GpgME::Subkey::AlgoECDH:
+    case GpgME::Subkey::AlgoECDSA:
+    case GpgME::Subkey::AlgoEDDSA:
+        pkInfo.publicKeyType = ECKEY;
+        break;
+    case GpgME::Subkey::AlgoRSA:
+    case GpgME::Subkey::AlgoRSA_E:
+    case GpgME::Subkey::AlgoRSA_S:
+        pkInfo.publicKeyType = RSAKEY;
+        break;
+    case GpgME::Subkey::AlgoELG:
+    case GpgME::Subkey::AlgoELG_E:
+    case GpgME::Subkey::AlgoMax:
+    case GpgME::Subkey::AlgoUnknown:
+        pkInfo.publicKeyType = OTHERKEY;
+    }
+    {
+        auto ctx = GpgME::Context::create(GpgME::CMS);
+        GpgME::Data pubkeydata;
+        const auto err = ctx->exportPublicKeys(key.primaryFingerprint(), pubkeydata);
+        if (isSuccess(err)) {
+            certificateInfo->setCertificateDER(GooString(pubkeydata.toString()));
+        }
+    }
+
+    certificateInfo->setPublicKeyInfo(std::move(pkInfo));
+
+    int kue = 0;
+    // this block is kind of a hack. GPGSM collapses multiple
+    // into one bit, so trying to match it back can never be good
+    if (key.canSign()) {
+        kue |= KU_NON_REPUDIATION;
+        kue |= KU_DIGITAL_SIGNATURE;
+    }
+    if (key.canEncrypt()) {
+        kue |= KU_KEY_ENCIPHERMENT;
+        kue |= KU_DATA_ENCIPHERMENT;
+    }
+    if (key.canCertify()) {
+        kue |= KU_KEY_CERT_SIGN;
+    }
+    certificateInfo->setKeyUsageExtensions(kue);
+
+    return certificateInfo;
+}
+
+/// implementation of header file
+
+GpgSignatureBackend::GpgSignatureBackend()
+{
+    GpgME::initializeLibrary();
+}
+
+std::unique_ptr<CryptoSign::SigningInterface> GpgSignatureBackend::createSigningHandler(const std::string &certID, HashAlgorithm digestAlgTag)
+{
+    return std::make_unique<GpgSignatureCreation>(certID, digestAlgTag);
+}
+
+std::unique_ptr<CryptoSign::VerificationInterface> GpgSignatureBackend::createVerificationHandler(std::vector<unsigned char> &&pkcs7)
+{
+    return std::make_unique<GpgSignatureVerification>(std::move(pkcs7));
+}
+
+std::vector<std::unique_ptr<X509CertificateInfo>> GpgSignatureBackend::getAvailableSigningCertificates()
+{
+    std::vector<std::unique_ptr<X509CertificateInfo>> certificates;
+    const auto context = GpgME::Context::create(GpgME::CMS);
+    auto err = context->startKeyListing(static_cast<const char *>(nullptr), true /*secretOnly*/);
+    while (isSuccess(err)) {
+        const auto key = context->nextKey(err);
+        if (!key.isNull() && isSuccess(err)) {
+            if (key.isBad()) {
+                continue;
+            }
+            if (!key.canSign()) {
+                continue;
+            }
+            certificates.push_back(getCertificateInfoFromKey(key));
+        } else {
+            break;
+        }
+    }
+    return certificates;
+}
+
+GpgSignatureCreation::GpgSignatureCreation(const std::string &certId, HashAlgorithm digestAlgTag) : gpgContext { GpgME::Context::create(GpgME::CMS) }
+{
+    GpgME::Error error;
+    const auto signingKey = gpgContext->key(certId.c_str(), error, true);
+    if (isSuccess(error)) {
+        gpgContext->addSigningKey(signingKey);
+        key = signingKey;
+    }
+}
+
+void GpgSignatureCreation::addData(unsigned char *dataBlock, int dataLen)
+{
+    gpgData.write(dataBlock, dataLen);
+}
+std::optional<GooString> GpgSignatureCreation::signDetached(const std::string &password)
+{
+    if (!key) {
+        return {};
+    }
+    gpgData.rewind();
+    GpgME::Data signatureData;
+    const auto signingResult = gpgContext->sign(gpgData, signatureData, GpgME::SignatureMode::Detached);
+    if (!isValidResult(signingResult)) {
+        return {};
+    }
+
+    const auto signatureString = signatureData.toString();
+    return GooString(std::move(signatureString));
+}
+
+std::unique_ptr<X509CertificateInfo> GpgSignatureCreation::getCertificateInfo() const
+{
+    if (!key) {
+        return nullptr;
+    }
+    return getCertificateInfoFromKey(*key);
+}
+
+GpgSignatureVerification::GpgSignatureVerification(const std::vector<unsigned char> &p7data) : gpgContext { GpgME::Context::create(GpgME::CMS) }, signatureData(reinterpret_cast<const char *>(p7data.data()), p7data.size())
+{
+    gpgContext->setOffline(true);
+    signatureData.setEncoding(GpgME::Data::BinaryEncoding);
+}
+
+void GpgSignatureVerification::addData(unsigned char *dataBlock, int dataLen)
+{
+    signedData.write(dataBlock, dataLen);
+}
+
+std::unique_ptr<X509CertificateInfo> GpgSignatureVerification::getCertificateInfo() const
+{
+    if (!hasValidResult(gpgResult)) {
+        return nullptr;
+    }
+    auto signature = getSignature(gpgResult.value(), 0);
+    if (!signature) {
+        return nullptr;
+    }
+    auto gpgInfo = getCertificateInfoFromKey(signature->key(true, false));
+    return gpgInfo;
+}
+
+HashAlgorithm GpgSignatureVerification::getHashAlgorithm() const
+{
+    if (gpgResult) {
+        const auto signature = getSignature(gpgResult.value(), 0);
+        if (!signature) {
+            return HashAlgorithm::Unknown;
+        }
+        switch (signature->hashAlgorithm()) {
+        case GPGME_MD_MD5:
+            return HashAlgorithm::Md5;
+        case GPGME_MD_SHA1:
+            return HashAlgorithm::Sha1;
+        case GPGME_MD_MD2:
+            return HashAlgorithm::Md2;
+        case GPGME_MD_SHA256:
+            return HashAlgorithm::Sha256;
+        case GPGME_MD_SHA384:
+            return HashAlgorithm::Sha384;
+        case GPGME_MD_SHA512:
+            return HashAlgorithm::Sha512;
+        case GPGME_MD_SHA224:
+            return HashAlgorithm::Sha224;
+        case GPGME_MD_NONE:
+        case GPGME_MD_RMD160:
+        case GPGME_MD_TIGER:
+        case GPGME_MD_HAVAL:
+        case GPGME_MD_MD4:
+        case GPGME_MD_CRC32:
+        case GPGME_MD_CRC32_RFC1510:
+        case GPGME_MD_CRC24_RFC2440:
+        default:
+            return HashAlgorithm::Unknown;
+        }
+    }
+    return HashAlgorithm::Unknown;
+}
+
+std::string GpgSignatureVerification::getSignerName() const
+{
+    if (!hasValidResult(gpgResult)) {
+        return {};
+    }
+
+    const auto signature = getSignature(gpgResult.value(), 0);
+    if (!signature) {
+        return {};
+    }
+    const auto dn = DN::parseString(fromCharPtr(signature->key(true, false).userID(0).id()));
+    return DN::FindFirstValue(dn, "CN").value_or("");
+}
+
+std::string GpgSignatureVerification::getSignerSubjectDN() const
+{
+    if (!hasValidResult(gpgResult)) {
+        return {};
+    }
+    const auto signature = getSignature(gpgResult.value(), 0);
+    if (!signature) {
+        return {};
+    }
+    return fromCharPtr(signature->key(true, false).userID(0).id());
+}
+
+std::chrono::system_clock::time_point GpgSignatureVerification::getSigningTime() const
+{
+    if (!hasValidResult(gpgResult)) {
+        return {};
+    }
+    const auto signature = getSignature(gpgResult.value(), 0);
+    if (!signature) {
+        return {};
+    }
+    return std::chrono::system_clock::from_time_t(signature->creationTime());
+}
+
+CertificateValidationStatus GpgSignatureVerification::validateCertificate(std::chrono::system_clock::time_point validation_time, bool ocspRevocationCheck, bool useAIACertFetch)
+{
+    if (!gpgResult) {
+        return CERTIFICATE_NOT_VERIFIED;
+    }
+    if (gpgResult->error()) {
+        return CERTIFICATE_GENERIC_ERROR;
+    }
+    const auto signature = getSignature(gpgResult.value(), 0);
+    if (!signature) {
+        return CERTIFICATE_GENERIC_ERROR;
+    }
+    const auto offline = gpgContext->offline();
+    gpgContext->setOffline(!ocspRevocationCheck);
+    const auto key = signature->key(true, true);
+    gpgContext->setOffline(offline);
+    if (key.isExpired()) {
+        return CERTIFICATE_EXPIRED;
+    }
+    if (key.isRevoked()) {
+        return CERTIFICATE_REVOKED;
+    }
+    if (key.isBad()) {
+        return CERTIFICATE_NOT_VERIFIED;
+    }
+    return CERTIFICATE_TRUSTED;
+}
+
+SignatureValidationStatus GpgSignatureVerification::validateSignature()
+{
+    signedData.rewind();
+    const auto result = gpgContext->verifyDetachedSignature(signatureData, signedData);
+    gpgResult = result;
+
+    if (!isValidResult(result)) {
+        return SIGNATURE_DECODING_ERROR;
+    }
+    const auto signature = getSignature(result, 0);
+    if (!signature) {
+        return SIGNATURE_DECODING_ERROR;
+    }
+    // Ensure key is actually available
+    signature->key(true, true);
+    const auto summary = signature->summary();
+
+    using Summary = GpgME::Signature::Summary;
+    if (summary & Summary::Red) {
+        return SIGNATURE_INVALID;
+    }
+    if (summary & Summary::Green || summary & Summary::Valid) {
+        return SIGNATURE_VALID;
+    }
+    return SIGNATURE_GENERIC_ERROR;
+}
diff --git a/poppler/GPGMECryptoSignBackend.h b/poppler/GPGMECryptoSignBackend.h
new file mode 100644
index 00000000..776dfc23
--- /dev/null
+++ b/poppler/GPGMECryptoSignBackend.h
@@ -0,0 +1,57 @@
+//========================================================================
+//
+// GPGMECryptoSignBackend.h
+//
+// This file is licensed under the GPLv2 or later
+//
+// Copyright 2023 g10 Code GmbH, Author: Sune Stolborg Vuorela <sune@vuorela.dk>
+//========================================================================
+#include "CryptoSignBackend.h"
+
+#include <gpgme++/data.h>
+#include <gpgme++/context.h>
+#include <optional>
+
+class GpgSignatureBackend : public CryptoSign::Backend
+{
+public:
+    GpgSignatureBackend();
+    std::unique_ptr<CryptoSign::VerificationInterface> createVerificationHandler(std::vector<unsigned char> &&pkcs7) final;
+    std::unique_ptr<CryptoSign::SigningInterface> createSigningHandler(const std::string &certID, HashAlgorithm digestAlgTag) final;
+    std::vector<std::unique_ptr<X509CertificateInfo>> getAvailableSigningCertificates() final;
+    static bool hasSufficientVersion();
+};
+
+class GpgSignatureCreation : public CryptoSign::SigningInterface
+{
+public:
+    GpgSignatureCreation(const std::string &certId, HashAlgorithm digestAlgTag);
+    void addData(unsigned char *dataBlock, int dataLen) final;
+    std::unique_ptr<X509CertificateInfo> getCertificateInfo() const final;
+    std::optional<GooString> signDetached(const std::string &password) final;
+
+private:
+    std::unique_ptr<GpgME::Context> gpgContext;
+    GpgME::Data gpgData;
+    std::optional<GpgME::Key> key;
+};
+
+class GpgSignatureVerification : public CryptoSign::VerificationInterface
+{
+public:
+    explicit GpgSignatureVerification(const std::vector<unsigned char> &pkcs7data);
+    SignatureValidationStatus validateSignature() final;
+    void addData(unsigned char *dataBlock, int dataLen) final;
+    std::chrono::system_clock::time_point getSigningTime() const final;
+    std::string getSignerName() const final;
+    std::string getSignerSubjectDN() const final;
+    HashAlgorithm getHashAlgorithm() const final;
+    CertificateValidationStatus validateCertificate(std::chrono::system_clock::time_point validation_time, bool ocspRevocationCheck, bool useAIACertFetch) final;
+    std::unique_ptr<X509CertificateInfo> getCertificateInfo() const final;
+
+private:
+    std::unique_ptr<GpgME::Context> gpgContext;
+    GpgME::Data signatureData;
+    GpgME::Data signedData;
+    std::optional<GpgME::VerificationResult> gpgResult;
+};
diff --git a/qt5/tests/check_signature_basics.cpp b/qt5/tests/check_signature_basics.cpp
index 7cdb1c37..94aad2f6 100644
--- a/qt5/tests/check_signature_basics.cpp
+++ b/qt5/tests/check_signature_basics.cpp
@@ -16,6 +16,7 @@
 #include "PDFDoc.h"
 #include "GlobalParams.h"
 #include "SignatureInfo.h"
+#include "CryptoSignBackend.h"
 #include "config.h"
 
 class TestSignatureBasics : public QObject
@@ -27,7 +28,9 @@ public:
 private:
     std::unique_ptr<PDFDoc> doc;
 private Q_SLOTS:
-    void initTestCase();
+    void init();
+    void initTestCase_data();
+    void initTestCase() { }
     void cleanupTestCase();
     void testSignatureCount();
     void testSignatureSizes();
@@ -35,13 +38,34 @@ private Q_SLOTS:
     void testSignedRanges();
 };
 
-void TestSignatureBasics::initTestCase()
+Q_DECLARE_METATYPE(CryptoSign::Backend::Type);
+
+void TestSignatureBasics::init()
 {
+#ifdef ENABLE_SIGNATURES
+    QFETCH_GLOBAL(CryptoSign::Backend::Type, backend);
+    CryptoSign::Factory::setPreferredBackend(backend);
+    QCOMPARE(CryptoSign::Factory::getActive(), backend);
+#endif
+
     globalParams = std::make_unique<GlobalParams>();
     doc = std::make_unique<PDFDoc>(std::make_unique<GooString>(TESTDATADIR "/unittestcases/pdf-signature-sample-2sigs.pdf"));
     QVERIFY(doc);
     QVERIFY(doc->isOk());
 }
+
+void TestSignatureBasics::initTestCase_data()
+{
+    QTest::addColumn<CryptoSign::Backend::Type>("backend");
+
+#ifdef ENABLE_NSS3
+    QTest::newRow("nss") << CryptoSign::Backend::Type::NSS3;
+#endif
+#ifdef ENABLE_GPGME
+    QTest::newRow("gpg") << CryptoSign::Backend::Type::GPGME;
+#endif
+}
+
 void TestSignatureBasics::cleanupTestCase()
 {
     globalParams.reset();
@@ -62,11 +86,13 @@ void TestSignatureBasics::testSignatureCount()
 void TestSignatureBasics::testSignatureSizes()
 {
     auto signatureFields = doc->getSignatureFields();
-    // Note for later. Unpadding a signature on a command line with openssl can
-    // be done just by rewriting after using e.g. pdfsig -dump to extract them
-    // openssl pkcs7 -inform der -in pdf-signature-sample-2sigs.pdf.sig0 -outform der -out pdf-signature-sample-2sigs.pdf.sig0.unpadded
-    QCOMPARE(signatureFields[0]->getSignature()->getLength(), 10230); // This is technically wrong, because the signatures in this document has been padded. The correct size is 2340
-    QCOMPARE(signatureFields[1]->getSignature()->getLength(), 10196); // This is technically wrong, because the signatures in this document has been padded. The correct size is 2340
+    // These are not the actual signature lengths, but rather
+    // the length of the signature field, which is likely
+    // a padded field. At least the pdf specification suggest to pad
+    // the field.
+    // Poppler before 23.04 did not have a padded field, later versions do.
+    QCOMPARE(signatureFields[0]->getSignature()->getLength(), 10230); // Signature data size is 2340
+    QCOMPARE(signatureFields[1]->getSignature()->getLength(), 10196); // Signature data size is 2340
 }
 
 void TestSignatureBasics::testSignerInfo()
@@ -75,9 +101,10 @@ void TestSignatureBasics::testSignerInfo()
     QCOMPARE(signatureFields[0]->getCreateWidget()->getField()->getFullyQualifiedName()->toStr(), std::string { "P2.AnA_Signature0_B_" });
     QCOMPARE(signatureFields[0]->getSignatureType(), ETSI_CAdES_detached);
     auto siginfo0 = signatureFields[0]->validateSignature(false, false, -1 /* now */, false, false);
-#ifdef ENABLE_NSS3
+#ifdef ENABLE_SIGNATURES
     QCOMPARE(siginfo0->getSignerName(), std::string { "Koch, Werner" });
     QCOMPARE(siginfo0->getHashAlgorithm(), HashAlgorithm::Sha256);
+    QCOMPARE(siginfo0->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 2048 / 8);
 #else
     QCOMPARE(siginfo0->getSignerName(), std::string {});
     QCOMPARE(siginfo0->getHashAlgorithm(), HashAlgorithm::Unknown);
@@ -87,9 +114,16 @@ void TestSignatureBasics::testSignerInfo()
     QCOMPARE(signatureFields[1]->getCreateWidget()->getField()->getFullyQualifiedName()->toStr(), std::string { "P2.AnA_Signature1_B_" });
     QCOMPARE(signatureFields[1]->getSignatureType(), ETSI_CAdES_detached);
     auto siginfo1 = signatureFields[1]->validateSignature(false, false, -1 /* now */, false, false);
-#ifdef ENABLE_NSS3
+#ifdef ENABLE_SIGNATURES
     QCOMPARE(siginfo1->getSignerName(), std::string { "Koch, Werner" });
     QCOMPARE(siginfo1->getHashAlgorithm(), HashAlgorithm::Sha256);
+    QFETCH_GLOBAL(CryptoSign::Backend::Type, backend);
+    if (backend == CryptoSign::Backend::Type::GPGME) {
+        QCOMPARE(siginfo1->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 2048 / 8);
+    } else if (backend == CryptoSign::Backend::Type::NSS3) {
+        // Not fully sure why it is zero here, but it seems to be.
+        QCOMPARE(siginfo1->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 0);
+    }
 #else
     QCOMPARE(siginfo1->getSignerName(), std::string {});
     QCOMPARE(siginfo1->getHashAlgorithm(), HashAlgorithm::Unknown);
diff --git a/qt6/tests/check_signature_basics.cpp b/qt6/tests/check_signature_basics.cpp
index 7cdb1c37..25589e93 100644
--- a/qt6/tests/check_signature_basics.cpp
+++ b/qt6/tests/check_signature_basics.cpp
@@ -16,6 +16,7 @@
 #include "PDFDoc.h"
 #include "GlobalParams.h"
 #include "SignatureInfo.h"
+#include "CryptoSignBackend.h"
 #include "config.h"
 
 class TestSignatureBasics : public QObject
@@ -27,7 +28,9 @@ public:
 private:
     std::unique_ptr<PDFDoc> doc;
 private Q_SLOTS:
-    void initTestCase();
+    void init();
+    void initTestCase_data();
+    void initTestCase() { }
     void cleanupTestCase();
     void testSignatureCount();
     void testSignatureSizes();
@@ -35,13 +38,32 @@ private Q_SLOTS:
     void testSignedRanges();
 };
 
-void TestSignatureBasics::initTestCase()
+void TestSignatureBasics::init()
 {
+#ifdef ENABLE_SIGNATURES
+    QFETCH_GLOBAL(CryptoSign::Backend::Type, backend);
+    CryptoSign::Factory::setPreferredBackend(backend);
+    QCOMPARE(CryptoSign::Factory::getActive(), backend);
+#endif
+
     globalParams = std::make_unique<GlobalParams>();
     doc = std::make_unique<PDFDoc>(std::make_unique<GooString>(TESTDATADIR "/unittestcases/pdf-signature-sample-2sigs.pdf"));
     QVERIFY(doc);
     QVERIFY(doc->isOk());
 }
+
+void TestSignatureBasics::initTestCase_data()
+{
+    QTest::addColumn<CryptoSign::Backend::Type>("backend");
+
+#ifdef ENABLE_NSS3
+    QTest::newRow("nss") << CryptoSign::Backend::Type::NSS3;
+#endif
+#ifdef ENABLE_GPGME
+    QTest::newRow("gpg") << CryptoSign::Backend::Type::GPGME;
+#endif
+}
+
 void TestSignatureBasics::cleanupTestCase()
 {
     globalParams.reset();
@@ -62,11 +84,13 @@ void TestSignatureBasics::testSignatureCount()
 void TestSignatureBasics::testSignatureSizes()
 {
     auto signatureFields = doc->getSignatureFields();
-    // Note for later. Unpadding a signature on a command line with openssl can
-    // be done just by rewriting after using e.g. pdfsig -dump to extract them
-    // openssl pkcs7 -inform der -in pdf-signature-sample-2sigs.pdf.sig0 -outform der -out pdf-signature-sample-2sigs.pdf.sig0.unpadded
-    QCOMPARE(signatureFields[0]->getSignature()->getLength(), 10230); // This is technically wrong, because the signatures in this document has been padded. The correct size is 2340
-    QCOMPARE(signatureFields[1]->getSignature()->getLength(), 10196); // This is technically wrong, because the signatures in this document has been padded. The correct size is 2340
+    // These are not the actual signature lengths, but rather
+    // the length of the signature field, which is likely
+    // a padded field. At least the pdf specification suggest to pad
+    // the field.
+    // Poppler before 23.04 did not have a padded field, later versions do.
+    QCOMPARE(signatureFields[0]->getSignature()->getLength(), 10230); // Signature data size is 2340
+    QCOMPARE(signatureFields[1]->getSignature()->getLength(), 10196); // Signature data size is 2340
 }
 
 void TestSignatureBasics::testSignerInfo()
@@ -75,9 +99,10 @@ void TestSignatureBasics::testSignerInfo()
     QCOMPARE(signatureFields[0]->getCreateWidget()->getField()->getFullyQualifiedName()->toStr(), std::string { "P2.AnA_Signature0_B_" });
     QCOMPARE(signatureFields[0]->getSignatureType(), ETSI_CAdES_detached);
     auto siginfo0 = signatureFields[0]->validateSignature(false, false, -1 /* now */, false, false);
-#ifdef ENABLE_NSS3
+#ifdef ENABLE_SIGNATURES
     QCOMPARE(siginfo0->getSignerName(), std::string { "Koch, Werner" });
     QCOMPARE(siginfo0->getHashAlgorithm(), HashAlgorithm::Sha256);
+    QCOMPARE(siginfo0->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 2048 / 8);
 #else
     QCOMPARE(siginfo0->getSignerName(), std::string {});
     QCOMPARE(siginfo0->getHashAlgorithm(), HashAlgorithm::Unknown);
@@ -87,9 +112,16 @@ void TestSignatureBasics::testSignerInfo()
     QCOMPARE(signatureFields[1]->getCreateWidget()->getField()->getFullyQualifiedName()->toStr(), std::string { "P2.AnA_Signature1_B_" });
     QCOMPARE(signatureFields[1]->getSignatureType(), ETSI_CAdES_detached);
     auto siginfo1 = signatureFields[1]->validateSignature(false, false, -1 /* now */, false, false);
-#ifdef ENABLE_NSS3
+#ifdef ENABLE_SIGNATURES
     QCOMPARE(siginfo1->getSignerName(), std::string { "Koch, Werner" });
     QCOMPARE(siginfo1->getHashAlgorithm(), HashAlgorithm::Sha256);
+    QFETCH_GLOBAL(CryptoSign::Backend::Type, backend);
+    if (backend == CryptoSign::Backend::Type::GPGME) {
+        QCOMPARE(siginfo1->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 2048 / 8);
+    } else if (backend == CryptoSign::Backend::Type::NSS3) {
+        // Not fully sure why it is zero here, but it seems to be.
+        QCOMPARE(siginfo1->getCertificateInfo()->getPublicKeyInfo().publicKeyStrength, 0);
+    }
 #else
     QCOMPARE(siginfo1->getSignerName(), std::string {});
     QCOMPARE(siginfo1->getHashAlgorithm(), HashAlgorithm::Unknown);
author	Sune Vuorela <sune@vuorela.dk>	2023-04-11 13:39:36 +0200
committer	Sune Vuorela <sune@vuorela.dk>	2023-05-21 15:07:41 +0200
commit	4efd2f9f8175cb5d448809b56f67524df6e220aa (patch)
tree	63b35dd0f8378c5c009a5ab8368dd5c1bf14adfa
parent	9065bd7d5fb9f9554235eafe8a67d0f67ea25faf (diff)