Specs for multiple PCKS7 signatures

clearhaus / pedicel

Handle Apple Pay payment tokens.

MIT License

6 stars 3 forks source link

Specs for multiple PCKS7 signatures #26

Open ct-clearhaus opened 6 years ago

ct-clearhaus commented 6 years ago

By adjusting PedicelPay::Backend#sign to err if the token already has a signature, I notice that only 4 specs fail, namely

rspec ./spec/lib/pedicel/ec_spec.rb:85 # Pedicel::EC #validate_signature errs if transaction_id has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:93 # Pedicel::EC #validate_signature errs if ephemeral_public_key has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:101 # Pedicel::EC #validate_signature errs if encrypted_data has been changed
rspec ./spec/lib/pedicel/ec_spec.rb:109 # Pedicel::EC #validate_signature errs if application_data has been changed

But by removing the if token.signature section completely makes the specs succeed. Thus, it seems it's not used anywhere that pedicel-pay support adding to the PKCS7 signature.

I think we should test this. However, I also think the default behaviour in PedicelPay::Backend#sign should be to overwrite the signature; there could be a overwrite: true default flag.

@kse-clearhaus WDYT?

ct-clearhaus commented 6 years ago

See https://github.com/clearhaus/pedicel-pay/pull/7 for the adjustment of pedicel-pay I have in mind 🙂

kse-clearhaus commented 6 years ago

I think the overwrite: true parameter makes sense, since this is most likely the use case. I prefer replace, though.

The case that we want to catch, is if a non Apple-signed signature is added, we don't want to accidentally use that and accept that as a valid signature. But as we already check if we (erroneously) accept a signature with a different root certificate, I don't think a new test is required.

ct-clearhaus commented 6 years ago

It's renamed to replace; I merged and made another release of pedicel-pay 🙂

IRL discussion:

We catch the "only a single signer" in .verify_signed_time.
Perhaps it'd make sense to move this check to earlier.
The timing check is the first place where https://developer.apple.com/library/content/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html indicates that there may only be one signature due to the text "Inspect the CMS signing time of the signature".

But doesn't "Verify the signature as follows" state that there must be exactly one signer?

Well, not necessarily, since one PKCS7 signature can have multiple signers (cf. https://tools.ietf.org/html/rfc5652#section-5.1).

We could even read it as

If there's just one signer that signed it "within a few minutes", then it's all good.

but we've decided that we accept it only when there's exactly one signer. And since we do this, we could move the check earlier and fail slightly less weird.

This piece of code should be hit by a test no matter what.

kse-clearhaus commented 6 years ago

A pull request related to this is https://github.com/clearhaus/pedicel/pull/27.

ct-clearhaus commented 6 years ago

A pull request related to this is #27.

Agreed. However, we still miss a test to hit the code that makes pedicel err when multiple signers is present in the signature.