Merge pull request #4226 from LibreSign/feat/validate-pdf

feat: validate pdf

lib/Controller/AccountController.php

@@ -161,6 +161,7 @@ public function signatureGenerate(
 			$data = [
 				'user' => [
 					'host' => $identify,
+					'uid' => 'account:' . $this->userSession->getUser()->getUID(),
 					'name' => $this->userSession->getUser()->getDisplayName(),
 				],
 				'signPassword' => $signPassword,

lib/Controller/FileController.php

@@ -182,6 +182,7 @@ public function validate(?string $type = null, $identifier = null): DataResponse
 				->showSigners()
 				->showSettings()
 				->showMessages()
+				->showValidateFile()
 				->toArray()
 		);
 

lib/Controller/SignFileController.php

@@ -118,7 +118,11 @@ public function sign(string $method, array $elements = [], string $identifyValue
 			$this->signFileService
 				->setLibreSignFile($libreSignFile)
 				->setSignRequest($signRequest)
-				->setUserUniqueIdentifier($identifyMethod->getEntity()->getIdentifierValue())
+				->setUserUniqueIdentifier(
+					$identifyMethod->getEntity()->getIdentifierKey() .
+					':' .
+					$identifyMethod->getEntity()->getIdentifierValue()
+				)
 				->setFriendlyName($signRequest->getDisplayName())
 				->storeUserMetadata([
 					'user-agent' => $this->request->getHeader('User-Agent'),

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -42,6 +42,7 @@
  * @method string getOrganization()
  * @method IEngineHandler setOrganizationalUnit(string $organizationalUnit)
  * @method string getOrganizationalUnit()
+ * @method IEngineHandler setUID(string $UID)
  * @method string getName()
  */
 class AEngineHandler {
@@ -55,6 +56,7 @@ class AEngineHandler {
 	protected string $locality = '';
 	protected string $organization = '';
 	protected string $organizationalUnit = '';
+	protected string $UID = '';
 	protected string $password = '';
 	protected string $configPath = '';
 	protected string $engine = '';
@@ -178,6 +180,8 @@ public function translateToLong($name): string {
 				return 'Organization';
 			case 'OU':
 				return 'OrganizationalUnit';
+			case 'UID':
+				return 'UserIdentifier';
 		}
 		return '';
 	}
@@ -282,12 +286,19 @@ protected function getNames(): array {
 			'O' => $this->getOrganization(),
 			'OU' => $this->getOrganizationalUnit(),
 		];
+		if ($uid = $this->getUID()) {
+			$names['UID'] = $uid;
+		}
 		$names = array_filter($names, function ($v) {
 			return !empty($v);
 		});
 		return $names;
 	}
 
+	public function getUID(): string {
+		return str_replace(' ', '+', $this->UID);
+	}
+
 	public function expirity(): int {
 		$expirity = $this->appConfig->getAppValueInt('expiry_in_days', 365);
 		if ($expirity < 0) {

lib/Handler/CertificateEngine/CfsslHandler.php

@@ -130,6 +130,14 @@ public function toArray(): array {
 		return $return;
 	}
 
+	public function getCommonName(): string {
+		$uid = $this->getUID();
+		if (!$uid) {
+			return $this->commonName;
+		}
+		return $uid . ', ' . $this->commonName;
+	}
+
 	private function newCert(): array {
 		$json = [
 			'json' => [

lib/Handler/CertificateEngine/IEngineHandler.php

@@ -27,6 +27,8 @@
  * @method string getOrganization()
  * @method IEngineHandler setOrganizationalUnit(string $organizationalUnit)
  * @method string getOrganizationalUnit()
+ * @method IEngineHandler setUID(string $UID)
+ * @method string getUID()
  * @method string getName()
  */
 interface IEngineHandler {

lib/Handler/CertificateEngine/OpenSslHandler.php

@@ -113,6 +113,10 @@ private function getCsrNames(): array {
 				$distinguishedNames['stateOrProvinceName'] = $value;
 				continue;
 			}
+			if ($name === 'UID') {
+				$distinguishedNames['UID'] = $value;
+				continue;
+			}
 			$longName = $this->translateToLong($name);
 			$longName = lcfirst($longName) . 'Name';
 			$distinguishedNames[$longName] = $value;

lib/Handler/Pkcs12Handler.php

@@ -16,6 +16,7 @@
 use OCP\AppFramework\Services\IAppConfig;
 use OCP\Files\File;
 use OCP\IL10N;
+use OCP\ITempManager;
 use TypeError;
 
 class Pkcs12Handler extends SignEngineHandler {
@@ -30,6 +31,7 @@ public function __construct(
 		private IL10N $l10n,
 		private JSignPdfHandler $jSignPdfHandler,
 		private FooterHandler $footerHandler,
+		private ITempManager $tempManager,
 	) {
 	}
 
@@ -79,6 +81,37 @@ public function readCertificate(string $uid, string $privateKey): array {
 		);
 	}
 
+	/**
+	 * @param resource $resource
+	 * @return array
+	 */
+	public function validatePdfContent($resource): array {
+		$content = stream_get_contents($resource);
+		preg_match_all('/ByteRange\s*\[(\d+) (?<start>\d+) (?<end>\d+) (\d+)?/', $content, $bytes);
+		if (empty($bytes['start']) || empty($bytes['end'])) {
+			throw new LibresignException($this->l10n->t('Unsigned file.'));
+		}
+
+		$parsed = [];
+		for ($i = 0; $i < count($bytes['start']); $i++) {
+			rewind($resource);
+			$signature = stream_get_contents(
+				$resource,
+				$bytes['end'][$i] - $bytes['start'][$i] - 2,
+				$bytes['start'][$i] + 1
+			);
+			$pfxCertificate = hex2bin($signature);
+			if (empty($tempFile)) {
+				$tempFile = $this->tempManager->getTemporaryFile('cert.pfx');
+			}
+			file_put_contents($tempFile, $pfxCertificate);
+			$output = shell_exec("openssl pkcs7 -in {$tempFile} -inform DER -print_certs");
+			$parsed[] = openssl_x509_parse($output);
+		}
+		$this->tempManager->clean();
+		return $parsed;
+	}
+
 	public function setPfxContent(string $content): void {
 		$this->pfxContent = $content;
 	}
@@ -152,6 +185,7 @@ public function generateCertificate(array $user, string $signPassword, string $f
 			->setHosts([$user['host']])
 			->setCommonName($user['name'])
 			->setFriendlyName($friendlyName)
+			->setUID($user['uid'])
 			->setPassword($signPassword)
 			->generateCertificate();
 		if (!$content) {

lib/Helper/MagicGetterSetterTrait.php

@@ -15,7 +15,10 @@ public function __call($name, $arguments) {
 		}
 		$property = lcfirst($matches['property']);
 		if (!property_exists($this, $property)) {
-			throw new \LogicException(sprintf('Cannot set non existing property %s->%s = %s.', \get_class($this), $name, var_export($arguments, true)));
+			$property = $matches['property'];
+			if (!property_exists($this, $property)) {
+				throw new \LogicException(sprintf('Cannot set non existing property %s->%s = %s.', \get_class($this), $name, var_export($arguments, true)));
+			}
 		}
 		if ($matches['type'] === 'get') {
 			return $this->$property;

lib/Service/AccountService.php

@@ -217,6 +217,7 @@ public function createToSign(string $uuid, string $email, string $password, ?str
 			$certificate = $this->pkcs12Handler->generateCertificate(
 				[
 					'host' => $newUser->getPrimaryEMailAddress(),
+					'uid' => 'account:' . $newUser->getUID(),
 					'name' => $newUser->getDisplayName()
 				],
 				$signPassword,

lib/Service/FileService.php

@@ -16,12 +16,15 @@
 use OCA\Libresign\Db\SignRequest;
 use OCA\Libresign\Db\SignRequestMapper;
 use OCA\Libresign\Exception\LibresignException;
+use OCA\Libresign\Handler\Pkcs12Handler;
 use OCA\Libresign\Helper\ValidateHelper;
 use OCA\Libresign\ResponseDefinitions;
 use OCA\Libresign\Service\IdentifyMethod\IIdentifyMethod;
 use OCP\Accounts\IAccountManager;
 use OCP\AppFramework\Services\IAppConfig;
+use OCP\Files\Config\IUserMountCache;
 use OCP\Files\IMimeTypeDetector;
+use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\Http\Client\IClientService;
 use OCP\IDateTimeFormatter;
@@ -42,10 +45,12 @@ class FileService {
 	private bool $showSettings = false;
 	private bool $showVisibleElements = false;
 	private bool $showMessages = false;
+	private bool $validateFile = false;
 	private ?File $file = null;
 	private ?SignRequest $signRequest = null;
 	private ?IUser $me = null;
 	private ?int $identifyMethodId = null;
+	private array $certData = [];
 	private array $signers = [];
 	private array $settings = [
 		'canSign' => false,
@@ -74,6 +79,9 @@ public function __construct(
 		private IAppConfig $appConfig,
 		private IURLGenerator $urlGenerator,
 		protected IMimeTypeDetector $mimeTypeDetector,
+		protected Pkcs12Handler $pkcs12Handler,
+		private IUserMountCache $userMountCache,
+		private IRootFolder $root,
 		protected LoggerInterface $logger,
 		protected IL10N $l10n,
 	) {
@@ -137,6 +145,11 @@ public function setSignRequest(SignRequest $signRequest): self {
 		return $this;
 	}
 
+	public function showValidateFile(bool $validateFile = true): self {
+		$this->validateFile = $validateFile;
+		return $this;
+	}
+
 	/**
 	 * @return static
 	 */
@@ -162,6 +175,7 @@ private function getSigners(): array {
 			return $this->signers;
 		}
 		$signers = $this->signRequestMapper->getByFileId($this->file->getId());
+		$certData = $this->getCertData();
 		foreach ($signers as $signer) {
 			$signatureToShow = [
 				'signed' => $signer->getSigned() ?
@@ -191,6 +205,38 @@ private function getSigners(): array {
 				$data['sign_date'] = (new \DateTime())
 					->setTimestamp($signer->getSigned())
 					->format('Y-m-d H:i:s');
+				$mySignature = array_filter($certData, function ($data) use ($signatureToShow) {
+					foreach ($signatureToShow['identifyMethods'] as $methods) {
+						foreach ($methods as $identifyMethod) {
+							$entity = $identifyMethod->getEntity();
+							if (array_key_exists('uid', $data['subject'])) {
+								if ($data['subject']['uid'] === $entity->getIdentifierKey() . ':' . $entity->getIdentifierValue()) {
+									return true;
+								}
+							} else {
+								preg_match('/(?<key>.*):(?<value>.*), /', $data['subject']['CN'], $matches);
+								if ($matches) {
+									if ($matches['key'] === $entity->getIdentifierKey() && $matches['value'] === $entity->getIdentifierValue()) {
+										return true;
+									}
+								}
+							}
+						}
+					}
+				});
+				if ($mySignature) {
+					$mySignature = current($mySignature);
+					$signatureToShow['subject'] = implode(
+						', ',
+						array_map(
+							fn (string $key, string $value) => "$key: $value",
+							array_keys($mySignature['subject']),
+							$mySignature['subject']
+						)
+					);
+					$signatureToShow['valid_from'] = $mySignature['validFrom_time_t'];
+					$signatureToShow['valid_to'] = $mySignature['validTo_time_t'];
+				}
 			}
 			// @todo refactor this code
 			if ($this->me || $this->identifyMethodId) {
@@ -396,6 +442,27 @@ private function getFile(): array {
 		return $return;
 	}
 
+	private function getCertData(): array {
+		if (!empty($this->certData) || !$this->validateFile || !$this->file->getSignedNodeId()) {
+			return $this->certData;
+		}
+		$mountsContainingFile = $this->userMountCache->getMountsForFileId($this->file->getSignedNodeId());
+		foreach ($mountsContainingFile as $fileInfo) {
+			$this->root->getByIdInPath($this->file->getSignedNodeId(), $fileInfo->getMountPoint());
+		}
+		$fileToValidate = $this->root->getById($this->file->getSignedNodeId());
+		if (!count($fileToValidate)) {
+			throw new LibresignException($this->l10n->t('Invalid data to validate file'), 404);
+		}
+		/** @var \OCP\Files\File */
+		$file = current($fileToValidate);
+
+		$resource = $file->fopen('rb');
+		$this->certData = $this->pkcs12Handler->validatePdfContent($resource);
+		fclose($resource);
+		return $this->certData;
+	}
+
 	/**
 	 * @return string[][]
 	 *

lib/Service/SignFileService.php

@@ -351,6 +351,7 @@ private function getPfxFile(): string {
 				$certificate = $this->pkcs12Handler->generateCertificate(
 					[
 						'host' => $this->userUniqueIdentifier,
+						'uid' => $this->userUniqueIdentifier,
 						'name' => $this->friendlyName,
 					],
 					$tempPassword,

src/views/CreatePassword.vue

@@ -67,7 +67,7 @@ export default {
 				})
 				.catch(({ response }) => {
 					this.signMethodsStore.setHasSignatureFile(false)
-					if (response.data.ocs.data.message) {
+					if (response.data?.ocs?.data?.message) {
 						showError(response.data.ocs.data.message)
 					} else {
 						showError(t('libresign', 'Error creating new password, please contact the administrator'))

src/views/Validation.vue

@@ -128,6 +128,33 @@
 									</ul>
 								</template>
 							</NcListItem>
+							<NcListItem v-if="signer.opened && signer.valid_from"
+								class="extra"
+								compact
+								:name="t('libresign', 'Certificate valid from:')">
+								<template #name>
+									<strong>{{ t('libresign', 'Certificate valid from:')}}</strong>
+									{{ dateFromUnixTimestamp(signer.valid_from) }}
+								</template>
+							</NcListItem>
+							<NcListItem v-if="signer.opened && signer.valid_to"
+								class="extra"
+								compact
+								:name="t('libresign', 'Certificate valid to:')">
+								<template #name>
+									<strong>{{ t('libresign', 'Certificate valid to:')}}</strong>
+									{{ dateFromUnixTimestamp(signer.valid_to) }}
+								</template>
+							</NcListItem>
+							<NcListItem v-if="signer.opened && signer.subject"
+								class="extra"
+								compact
+								:name="t('libresign', 'Subject:')">
+								<template #name>
+									<strong>{{ t('libresign', 'Subject:')}}</strong>
+									{{ signer.subject }}
+								</template>
+							</NcListItem>
 						</span>
 					</ul>
 				</div>

tests/Api/Controller/SignFileControllerTest.php

@@ -226,6 +226,7 @@ public function testSignUsingFileIdWithEmptyCertificatePassword():void {
 		$certificate = $pkcs12Handler->generateCertificate(
 			[
 				'host' => '[email protected]',
+				'uid' => 'email:[email protected]',
 				'name' => 'John Doe',
 			],
 			'secretPassword',
@@ -286,6 +287,7 @@ public function testSignUsingFileIdWithSuccess():void {
 		$certificate = $pkcs12Handler->generateCertificate(
 			[
 				'host' => '[email protected]',
+				'uid' => 'email:[email protected]',
 				'name' => 'John Doe',
 			],
 			'secretPassword',