Specs for multiple PCKS7 signatures

Question

Specs for multiple PCKS7 signatures

ct-clearhaus opened this issue 6 years ago · comments

By adjusting PedicelPay::Backend#sign to err if the token already has a signature, I notice that only 4 specs fail, namely

rspec ./spec/lib/pedicel/ec_spec.rb:85 # Pedicel::EC #validate_signature errs if transaction_id has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:93 # Pedicel::EC #validate_signature errs if ephemeral_public_key has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:101 # Pedicel::EC #validate_signature errs if encrypted_data has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:109 # Pedicel::EC #validate_signature errs if application_data has been changed

But by removing the if token.signature section completely makes the specs succeed. Thus, it seems it's not used anywhere that pedicel-pay support adding to the PKCS7 signature.

I think we should test this. However, I also think the default behaviour in PedicelPay::Backend#sign should be to overwrite the signature; there could be a overwrite: true default flag.

@kse-clearhaus WDYT?

Casper Thomsen · Answer 1 · Mon Jul 02 2018 19:24:07 GMT+0800 (China Standard Time)

See clearhaus/pedicel-pay#7 for the adjustment of pedicel-pay I have in mind 🙂

Kasper Sacharias Eenberg · Answer 2 · Mon Jul 02 2018 19:34:03 GMT+0800 (China Standard Time)

I think the overwrite: true parameter makes sense, since this is most likely the use case. I prefer replace, though.

The case that we want to catch, is if a non Apple-signed signature is added, we don't want to accidentally use that and accept that as a valid signature.
But as we already check if we (erroneously) accept a signature with a different root certificate, I don't think a new test is required.

Casper Thomsen · Answer 3 · Mon Jul 02 2018 22:52:40 GMT+0800 (China Standard Time)

It's renamed to replace; I merged and made another release of pedicel-pay 🙂

IRL discussion:

We catch the "only a single signer" in .verify_signed_time.
Perhaps it'd make sense to move this check to earlier.
The timing check is the first place where https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html indicates that there may only be one signature due to the text "Inspect the CMS signing time of the signature".

But doesn't "Verify the signature as follows" state that there must be exactly one signer?

Well, not necessarily, since one PKCS7 signature can have multiple signers (cf. https://tools.ietf.org/html/rfc5652#section-5.1).

We could even read it as

If there's just one signer that signed it "within a few minutes", then it's all good.

but we've decided that we accept it only when there's exactly one signer. And since we do this, we could move the check earlier and fail slightly less weird.

This piece of code should be hit by a test no matter what.

Kasper Sacharias Eenberg · Answer 4 · Tue Jul 03 2018 16:33:41 GMT+0800 (China Standard Time)

A pull request related to this is #27.

Casper Thomsen · Answer 5 · Tue Jul 03 2018 16:50:56 GMT+0800 (China Standard Time)

A pull request related to this is #27.

Agreed. However, we still miss a test to hit the code that makes pedicel err when multiple signers is present in the signature.