kopia lustrzana https://github.com/bellingcat/auto-archiver
216 wiersze
8.9 KiB
Python
216 wiersze
8.9 KiB
Python
from pathlib import Path
|
|
import pytest
|
|
|
|
from rfc3161_client import (
|
|
TimeStampResponse,
|
|
decode_timestamp_response,
|
|
)
|
|
import requests
|
|
|
|
from auto_archiver.modules.timestamping_enricher.timestamping_enricher import TimestampingEnricher
|
|
from auto_archiver.core import Metadata
|
|
|
|
|
|
@pytest.fixture
|
|
def timestamp_response() -> TimeStampResponse:
|
|
with open("tests/data/timestamping/valid_timestamp.tsr", "rb") as f:
|
|
return decode_timestamp_response(f.read())
|
|
|
|
|
|
@pytest.fixture
|
|
def wrong_order_timestamp_response() -> TimeStampResponse:
|
|
with open("tests/data/timestamping/rfc3161-client-issue-104.tsr", "rb") as f:
|
|
return decode_timestamp_response(f.read())
|
|
|
|
|
|
@pytest.fixture
|
|
def selfsigned_response() -> TimeStampResponse:
|
|
with open("tests/data/timestamping/self_signed.tsr", "rb") as f:
|
|
return decode_timestamp_response(f.read())
|
|
|
|
|
|
@pytest.fixture
|
|
def digicert_response() -> TimeStampResponse:
|
|
with open("tests/data/timestamping/digicert.tsr", "rb") as f:
|
|
return f.read()
|
|
|
|
|
|
@pytest.fixture
|
|
def filehash():
|
|
return "4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef"
|
|
|
|
|
|
@pytest.mark.download
|
|
def test_enriching(setup_module, sample_media):
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher")
|
|
|
|
# tests the current TSAs set as default in the __manifest__ to make sure they are all still working
|
|
|
|
# test the enrich method
|
|
metadata = Metadata().set_url("https://example.com")
|
|
sample_media.set("hash", "4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef")
|
|
metadata.add_media(sample_media)
|
|
tsp.enrich(metadata)
|
|
|
|
|
|
def test_full_enriching_selfsigned(setup_module, sample_media, mocker, selfsigned_response, filehash):
|
|
mock_post = mocker.patch("requests.sessions.Session.post")
|
|
mock_post.return_value.status_code = 200
|
|
mock_decode_timestamp_response = mocker.patch(
|
|
"auto_archiver.modules.timestamping_enricher.timestamping_enricher.decode_timestamp_response"
|
|
)
|
|
mock_decode_timestamp_response.return_value = selfsigned_response
|
|
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher", {"tsa_urls": ["http://timestamp.identrust.com"]})
|
|
metadata = Metadata().set_url("https://example.com")
|
|
sample_media.set("hash", filehash)
|
|
metadata.add_media(sample_media)
|
|
tsp.enrich(metadata)
|
|
|
|
assert len(metadata.media) == 1 # doesn't allow self-signed
|
|
|
|
# set self-signed on tsp
|
|
tsp.allow_selfsigned = True
|
|
tsp.enrich(metadata)
|
|
|
|
assert len(metadata.media) == 2
|
|
|
|
|
|
def test_full_enriching(setup_module, sample_media, mocker, timestamp_response, filehash):
|
|
mock_post = mocker.patch("requests.sessions.Session.post")
|
|
mock_post.return_value.status_code = 200
|
|
mock_decode_timestamp_response = mocker.patch(
|
|
"auto_archiver.modules.timestamping_enricher.timestamping_enricher.decode_timestamp_response"
|
|
)
|
|
mock_decode_timestamp_response.return_value = timestamp_response
|
|
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher", {"tsa_urls": ["http://timestamp.identrust.com"]})
|
|
metadata = Metadata().set_url("https://example.com")
|
|
sample_media.set("hash", filehash)
|
|
metadata.add_media(sample_media)
|
|
tsp.enrich(metadata)
|
|
|
|
assert metadata.get("timestamped") is True
|
|
assert len(metadata.media) == 2 # the original 'sample_media' and the new 'timestamp_media'
|
|
|
|
timestamp_media = metadata.media[1]
|
|
assert timestamp_media.filename == f"{tsp.tmp_dir}/hashes.txt"
|
|
assert Path(timestamp_media.filename).read_text() == filehash
|
|
|
|
# we only have one authority file because we only used one TSA
|
|
assert len(timestamp_media.get("timestamp_authority_files")) == 1
|
|
timestamp_authority_file = timestamp_media.get("timestamp_authority_files")[0]
|
|
assert Path(timestamp_authority_file.filename).read_bytes() == timestamp_response.time_stamp_token()
|
|
|
|
cert_chain = timestamp_authority_file.get("cert_chain")
|
|
assert len(cert_chain) == 3
|
|
assert cert_chain[0].filename == f"{tsp.tmp_dir}/1 – 85078758028491331763.crt"
|
|
assert cert_chain[1].filename == f"{tsp.tmp_dir}/2 – 85078371663472981624.crt"
|
|
assert cert_chain[2].filename == f"{tsp.tmp_dir}/3 – 13298821034946342390.crt"
|
|
|
|
|
|
def test_full_enriching_multiple_tsa(setup_module, sample_media, mocker, timestamp_response, filehash):
|
|
mock_post = mocker.patch("requests.sessions.Session.post")
|
|
mock_post.return_value.status_code = 200
|
|
|
|
mock_decode_timestamp_response = mocker.patch(
|
|
"auto_archiver.modules.timestamping_enricher.timestamping_enricher.decode_timestamp_response"
|
|
)
|
|
mock_decode_timestamp_response.return_value = timestamp_response
|
|
|
|
tsp: TimestampingEnricher = setup_module(
|
|
"timestamping_enricher", {"tsa_urls": ["http://example.com/timestamp1", "http://example.com/timestamp2"]}
|
|
)
|
|
metadata = Metadata().set_url("https://example.com")
|
|
sample_media.set("hash", filehash)
|
|
metadata.add_media(sample_media)
|
|
tsp.enrich(metadata)
|
|
|
|
assert metadata.get("timestamped") is True
|
|
assert len(metadata.media) == 2 # the original 'sample_media' and the new 'timestamp_media'
|
|
|
|
timestamp_media = metadata.media[1]
|
|
assert len(timestamp_media.get("timestamp_authority_files")) == 2
|
|
for timestamp_token_media in timestamp_media.get("timestamp_authority_files"):
|
|
assert Path(timestamp_token_media.filename).read_bytes() == timestamp_response.time_stamp_token()
|
|
assert len(timestamp_token_media.get("cert_chain")) == 3
|
|
|
|
|
|
def test_fails_for_digicert(setup_module, mocker, digicert_response):
|
|
"""
|
|
Digicert TSRs are not compliant with RFC 3161.
|
|
See https://github.com/trailofbits/rfc3161-client/issues/104#issuecomment-2621960840
|
|
"""
|
|
mocker.patch("requests.sessions.Session.post", return_value=requests.Response())
|
|
mocker.patch("requests.Response.raise_for_status")
|
|
mocker.patch("requests.Response.content", new_callable=mocker.PropertyMock, return_value=digicert_response)
|
|
|
|
tsa_url = "http://timestamp.digicert.com"
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher")
|
|
|
|
data = b"4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef"
|
|
with pytest.raises(ValueError) as e:
|
|
tsp.sign_data(tsa_url, data)
|
|
assert "ASN.1 parse error: ParseError" in str(e.value)
|
|
|
|
|
|
@pytest.mark.download
|
|
def test_download_tsr(setup_module):
|
|
tsa_url = "http://timestamp.identrust.com"
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher")
|
|
|
|
data = b"4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef"
|
|
result: TimeStampResponse = tsp.sign_data(tsa_url, data)
|
|
assert isinstance(result, TimeStampResponse)
|
|
|
|
verified_root_cert = tsp.verify_signed(result, data)
|
|
assert verified_root_cert.subject.rfc4514_string() == "CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US"
|
|
|
|
# test downloading the cert
|
|
cert_chain = tsp.save_certificate(result, verified_root_cert)
|
|
assert len(cert_chain) == 3
|
|
|
|
|
|
def test_verify_save(setup_module, timestamp_response):
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher")
|
|
|
|
verified_root_cert = tsp.verify_signed(
|
|
timestamp_response, b"4b7b4e39f12b8c725e6e603e6d4422500316df94211070682ef10260ff5759ef"
|
|
)
|
|
assert verified_root_cert.subject.rfc4514_string() == "CN=IdenTrust Commercial Root CA 1,O=IdenTrust,C=US"
|
|
|
|
cert_chain = tsp.save_certificate(timestamp_response, verified_root_cert)
|
|
assert len(cert_chain) == 3
|
|
|
|
assert cert_chain[0].filename == f"{tsp.tmp_dir}/1 – 85078758028491331763.crt"
|
|
assert cert_chain[1].filename == f"{tsp.tmp_dir}/2 – 85078371663472981624.crt"
|
|
assert cert_chain[2].filename == f"{tsp.tmp_dir}/3 – 13298821034946342390.crt"
|
|
|
|
|
|
def test_order_crt_correctly(setup_module, wrong_order_timestamp_response):
|
|
# reference: https://github.com/trailofbits/rfc3161-client/issues/104#issuecomment-2711244010
|
|
tsp: TimestampingEnricher = setup_module("timestamping_enricher")
|
|
|
|
# get the certificates, make sure the reordering is working:
|
|
|
|
ordered_certs = tsp.tst_certs(wrong_order_timestamp_response)
|
|
assert len(ordered_certs) == 2
|
|
assert ordered_certs[0].subject.rfc4514_string() == "CN=TrustID Timestamp Authority,O=IdenTrust,C=US"
|
|
assert ordered_certs[1].subject.rfc4514_string() == "CN=TrustID Timestamping CA 3,O=IdenTrust,C=US"
|
|
|
|
|
|
def test_invalid_tsa_invalid_response(setup_module, mocker):
|
|
mocker.patch("requests.sessions.Session.post", return_value=requests.Response())
|
|
raise_for_status = mocker.patch("requests.Response.raise_for_status")
|
|
raise_for_status.side_effect = requests.exceptions.HTTPError("404 Client Error")
|
|
tsp = setup_module("timestamping_enricher")
|
|
|
|
with pytest.raises(requests.exceptions.HTTPError, match="404 Client Error"):
|
|
tsp.sign_data("http://bellingcat.com/page-not-found/", b"my-message")
|
|
|
|
|
|
def test_fail_on_selfsigned_cert(setup_module, selfsigned_response):
|
|
tsp = setup_module("timestamping_enricher")
|
|
root_cert = tsp.verify_signed(selfsigned_response, b"my-message")
|
|
assert root_cert is None
|