19716868586

Committed 26 Nov 2025 08:40PM UTC coverage: 40.376%. First build

Build # 19716868586

Build Type

Pull #5822

github

Committed by

web-flow

Commit Message

Merge 3ec094e08 into b12f5ce99

Pull Request Pull Request #5822: feat: validate CRL when sign a document

Run Details

0 of 4 new or added lines in 1 file covered. (0.0%)

4772 of 11819 relevant lines covered (40.38%)

3.51 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

45.45

/lib/Service/IdentifyMethod/SignatureMethod/Password.php

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Libresign\Service\IdentifyMethod\SignatureMethod;

use OCA\Libresign\Exception\InvalidPasswordException;
use OCA\Libresign\Exception\LibresignException;
use OCA\Libresign\Handler\SignEngine\Pkcs12Handler;
use OCA\Libresign\Service\IdentifyMethod\IdentifyService;
use OCP\IUserSession;

class Password extends AbstractSignatureMethod {
        public function __construct(
                protected IdentifyService $identifyService,
                protected Pkcs12Handler $pkcs12Handler,
                private IUserSession $userSession,
        ) {
                // TRANSLATORS Name of possible authenticator method. This signalize that the signer could be identified by certificate password
                $this->friendlyName = $this->identifyService->getL10n()->t('Certificate with password');
                parent::__construct(
                        $identifyService,
                );
        }

        #[\Override]
        public function validateToSign(): void {
                $this->validateToIdentify();
                try {
                        $certificateData = $this->pkcs12Handler
                                ->setCertificate($this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID()))
                                ->setPassword($this->codeSentByUser)
                                ->readCertificate();
                } catch (InvalidPasswordException) {
                        throw new LibresignException($this->identifyService->getL10n()->t('Invalid user or password'));
                }

                $this->validateCertificateRevocation($certificateData);
                $this->validateCertificateExpiration($certificateData);
        }

        private function validateCertificateRevocation(array $certificateData): void {
                if (isset($certificateData['crl_validation']) && $certificateData['crl_validation'] !== 'valid') {
                        throw new LibresignException($this->identifyService->getL10n()->t('Certificate has been revoked'), 400);
                }
        }

        private function validateCertificateExpiration(array $certificateData): void {
                if (isset($certificateData['valid_to'])) {
                        $validTo = \DateTime::createFromFormat('F j, Y, g:i:s A', $certificateData['valid_to']);
                        if ($validTo === false) {
                                throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 400);
                        }
                        $now = new \DateTime();
                        if ($validTo < $now) {
                                throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 400);
                        }
                }
        }

        #[\Override]
        public function validateToIdentify(): void {
                $this->pkcs12Handler->setPassword($this->codeSentByUser);
                $pfx = $this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID());
                if (empty($pfx)) {
                        throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'));
                }
        }

        #[\Override]
        public function toArray(): array {
                $return = parent::toArray();
                $return['hasSignatureFile'] = $this->hasSignatureFile();
                return $return;
        }

        private function hasSignatureFile(): bool {
                try {
                        $this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID());
                        return true;
                } catch (\Throwable) {
                }
                return false;
        }
}

1	<?php
2
3	declare(strict_types=1);
4	/**
5	* SPDX-FileCopyrightText: 2020-2024 LibreCode coop and contributors
6	* SPDX-License-Identifier: AGPL-3.0-or-later
7	*/
8
9	namespace OCA\Libresign\Service\IdentifyMethod\SignatureMethod;
10
11	use OCA\Libresign\Exception\InvalidPasswordException;
12	use OCA\Libresign\Exception\LibresignException;
13	use OCA\Libresign\Handler\SignEngine\Pkcs12Handler;
14	use OCA\Libresign\Service\IdentifyMethod\IdentifyService;
15	use OCP\IUserSession;
16
17	class Password extends AbstractSignatureMethod {
18	public function __construct(
19	protected IdentifyService $identifyService,
20	protected Pkcs12Handler $pkcs12Handler,
21	private IUserSession $userSession,
22	) {
23	// TRANSLATORS Name of possible authenticator method. This signalize that the signer could be identified by certificate password
24	$this->friendlyName = $this->identifyService->getL10n()->t('Certificate with password');	14✔
25	parent::__construct(	14✔
26	$identifyService,	14✔
27	);	14✔
28	}
29
30	#[\Override]
31	public function validateToSign(): void {
32	$this->validateToIdentify();	2✔
33	try {
34	$certificateData = $this->pkcs12Handler	1✔
35	->setCertificate($this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID()))	1✔
36	->setPassword($this->codeSentByUser)	1✔
37	->readCertificate();	1✔
38	} catch (InvalidPasswordException) {	1✔
39	throw new LibresignException($this->identifyService->getL10n()->t('Invalid user or password'));	1✔
40	}
41
NEW 42	$this->validateCertificateRevocation($certificateData);	×
NEW 43	$this->validateCertificateExpiration($certificateData);	×
44	}
45
46	private function validateCertificateRevocation(array $certificateData): void {
NEW 47	if (isset($certificateData['crl_validation']) && $certificateData['crl_validation'] !== 'valid') {	×
NEW 48	throw new LibresignException($this->identifyService->getL10n()->t('Certificate has been revoked'), 400);	×
49	}
50	}
51
52	private function validateCertificateExpiration(array $certificateData): void {
53	if (isset($certificateData['valid_to'])) {	×
54	$validTo = \DateTime::createFromFormat('F j, Y, g:i:s A', $certificateData['valid_to']);	×
55	if ($validTo === false) {	×
56	throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 400);	×
57	}
58	$now = new \DateTime();	×
59	if ($validTo < $now) {	×
60	throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 400);	×
61	}
62	}
63	}
64
65	#[\Override]
66	public function validateToIdentify(): void {
67	$this->pkcs12Handler->setPassword($this->codeSentByUser);	4✔
68	$pfx = $this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID());	4✔
69	if (empty($pfx)) {	4✔
70	throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'));	2✔
71	}
72	}
73
74	#[\Override]
75	public function toArray(): array {
76	$return = parent::toArray();	×
77	$return['hasSignatureFile'] = $this->hasSignatureFile();	×
78	return $return;	×
79	}
80
81	private function hasSignatureFile(): bool {
82	try {
83	$this->pkcs12Handler->getPfxOfCurrentSigner($this->userSession->getUser()?->getUID());	×
84	return true;	×
85	} catch (\Throwable) {	×
86	}
87	return false;	×
88	}
89	}

LibreSign / libresign / 19716868586

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous