Added additional tests for using no verify and key usages (#10)

* Added additional test certificates
* Added additional tests
* Added purpose any as no verify flag when no cert chain is provided

src/Service/Signature/NativeService.php

@@ -11,7 +11,7 @@ class NativeService implements SignatureCryptoInterface
     protected string $certPath;
     protected string $privKeyPath;
     protected string $privKeyPass;
-    protected string $certChainPath;
+    protected ?string $certChainPath;
     protected TempFileInterface $tempFileService;
 
     /**
@@ -27,12 +27,12 @@ public function __construct(
         ?string $privKeyPath = null,
         ?string $privKeyPass = null,
         ?string $certChainPath = null,
-        ?TempFileInterface $tempFileService,
+        ?TempFileInterface $tempFileService = null,
     ) {
         $this->certPath = $certPath ?? '';
         $this->privKeyPath = $privKeyPath ?? '';
         $this->privKeyPass = $privKeyPass ?? '';
-        $this->certChainPath = $certChainPath ?? '';
+        $this->certChainPath = !empty($certChainPath) ? $certChainPath : null;
         $this->tempFileService = $tempFileService ?? app(TempFileInterface::class);
     }
 
@@ -147,7 +147,7 @@ public function verify(
                 input_filename: ($detached ? $tmpFileContentDataPath : $tmpFileSignedDataPath) ?? '',
                 flags: $flags,
                 certificates: null,
-                ca_info: array($this->certChainPath),
+                ca_info: !empty($this->certChainPath) ? array($this->certChainPath) : [],
                 untrusted_certificates_filename: $tmpFileCertificateDataPath,
                 content: null,
                 pk7: null,

src/Service/Signature/ProcessSpawnService.php

@@ -22,13 +22,14 @@ class ProcessSpawnService implements SignatureCryptoInterface
      * @param string|null $privKeyPath
      * @param string|null $privKeyPass
      * @param string|null $certChainPath
+     * @param TempFileInterface|null $tempFileService
      */
     public function __construct(
         ?string $certPath = null,
         ?string $privKeyPath = null,
         ?string $privKeyPass = null,
         ?string $certChainPath = null,
-        ?TempFileInterface $tempFileService,
+        ?TempFileInterface $tempFileService = null,
     ) {
         $this->certPath = $certPath ?? '';
         $this->privKeyPath = $privKeyPath ?? '';
@@ -100,7 +101,6 @@ public function verify(
                 'openssl', 'cms', '-verify',
                 '-inform', 'DER',
                 '-noout',
-                '-purpose', 'any',
             ], $this->getOpenSslTags($verifyConfig));
 
             if (!empty($this->certChainPath)) {
@@ -152,6 +152,16 @@ protected function getOpenSslTags(?SignatureVerifyConfig $config): array
         if ($config?->getBinary()) {
             $flags[] = '-binary';
         }
+        if ($config?->getNoVerify()) {
+            // When we supply a cert chain, then we want to check the ca certificate
+            // Else we want to ignore the certificate purpose
+            if (!$this->certChainPath) {
+                $flags[] = '-noverify';
+            }
+
+            $flags[] = '-purpose';
+            $flags[] = 'any';
+        }
 
         return $flags;
     }

tests/Service/Signature/CorrectAttrTest.php

@@ -0,0 +1,185 @@
+<?php
+
+namespace MinVWS\Crypto\Laravel\Tests\Service\Signature;
+
+use MinVWS\Crypto\Laravel\Service\Signature\NativeService;
+use MinVWS\Crypto\Laravel\Service\Signature\ProcessSpawnService;
+use MinVWS\Crypto\Laravel\Service\Signature\SignatureVerifyConfig;
+use MinVWS\Crypto\Laravel\Service\TempFileService;
+use MinVWS\Crypto\Laravel\SignatureCryptoInterface;
+use MinVWS\Crypto\Laravel\TempFileInterface;
+use PHPUnit\Framework\TestCase;
+
+class CorrectAttrTest extends TestCase
+{
+    public function serviceTypeProvider(): array
+    {
+        return array(
+            array('native', 'native'),
+            array('spawn', 'spawn'),
+            array('spawn', 'native'),
+            array('native', 'spawn'),
+        );
+    }
+
+    /**
+     * @dataProvider serviceTypeProvider
+     */
+    public function testCorrectNotdetached(string $serviceType, string $serviceTypeOther): void
+    {
+        $service = $this->getServiceWithAttrCertificate($serviceType);
+        $serviceOther = $this->getServiceWithAttrCertificate($serviceTypeOther);
+
+        $signedData = $service->sign('foobar');
+        $this->assertTrue($serviceOther->verify($signedData));
+        $this->assertTrue(
+            $serviceOther->verify(
+                $signedData,
+                null,
+                file_get_contents('./tests/mockdata/attr.example.org.cert.pem'),
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+        $this->assertTrue(
+            $serviceOther->verify($signedData, null, file_get_contents('./tests/mockdata/attr.example.org.cert.pem'))
+        );
+        $this->assertFalse(
+            $serviceOther->verify($signedData, null, file_get_contents('./tests/mockdata/cert-002.cert'))
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                null,
+                file_get_contents('./tests/mockdata/cert-002.cert'),
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+    }
+
+    /**
+     * @dataProvider serviceTypeProvider
+     */
+    public function testCorrectDetached(string $serviceType, string $serviceTypeOther): void
+    {
+        $service = $this->getServiceWithAttrCertificate($serviceType);
+        $serviceOther = $this->getServiceWithAttrCertificate($serviceTypeOther);
+
+        $signedData = $service->sign('foobar', true);
+        $this->assertTrue($serviceOther->verify($signedData, 'foobar'));
+        $this->assertFalse($serviceOther->verify($signedData, 'not-foobar'));
+        $this->assertFalse($serviceOther->verify($signedData));
+        $this->assertTrue(
+            $serviceOther->verify($signedData, 'foobar', null, (new SignatureVerifyConfig())->setNoVerify(true))
+        );
+        $this->assertFalse(
+            $serviceOther->verify($signedData, 'not-foobar', null, (new SignatureVerifyConfig())->setNoVerify(true))
+        );
+
+        $this->assertTrue(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/attr.example.org.cert.pem')
+            )
+        );
+        $this->assertTrue(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/attr.example.org.cert.pem'),
+                (new SignatureVerifyConfig())->setNoVerify(true)
+            )
+        );
+        $this->assertFalse(
+            $serviceOther->verify($signedData, 'foobar', file_get_contents('./tests/mockdata/cert-002.cert'))
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/cert-002.cert'),
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+    }
+
+    /**
+     * @dataProvider serviceTypeProvider
+     */
+    public function testCorrectDetachedWithoutChain(string $serviceType, string $serviceTypeOther): void
+    {
+        $service = $this->getServiceWithAttrCertificate($serviceType, false);
+        $serviceOther = $this->getServiceWithAttrCertificate($serviceTypeOther, false);
+
+        $signedData = $service->sign('foobar', true);
+        $this->assertFalse($serviceOther->verify($signedData, 'foobar'));
+        $this->assertFalse($serviceOther->verify($signedData, 'not-foobar'));
+        $this->assertFalse($serviceOther->verify($signedData));
+        $this->assertTrue(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                null,
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                'not-foobar',
+                null,
+                (new SignatureVerifyConfig())->setNoVerify(true)
+            )
+        );
+
+        $this->assertTrue(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/attr.example.org.cert.pem'),
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/attr.example.org.cert.pem')
+            )
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/cert-002.cert')
+            )
+        );
+        $this->assertFalse(
+            $serviceOther->verify(
+                $signedData,
+                'foobar',
+                file_get_contents('./tests/mockdata/cert-002.cert'),
+                (new SignatureVerifyConfig())->setNoVerify(true),
+            )
+        );
+    }
+
+    private function getServiceWithAttrCertificate(
+        string $serviceType,
+        bool $withChain = true,
+    ): SignatureCryptoInterface {
+        $args = [
+            './tests/mockdata/attr.example.org.cert.pem',
+            './tests/mockdata/attr.example.org.key.pem',
+            '',
+            $withChain ? './tests/mockdata/example.org.chain.pem' : null,
+            new TempFileService()
+        ];
+
+        if ($serviceType === 'native') {
+            return new NativeService(...$args);
+        }
+
+        return new ProcessSpawnService(...$args);
+    }
+}