def test_double_sig_adobe_reader_second_created():
infile = BytesIO(
read_all(PDF_DATA_DIR + '/minimal-signed-twice-second-created.pdf'))
r = PdfFileReader(infile)
s = r.embedded_signatures[0]
status = val_untrusted(s, extd=True)
assert status.modification_level == ModificationLevel.FORM_FILLING
assert status.docmdp_ok
s = r.embedded_signatures[1]
val_untrusted(s)
def test_bogus_metadata_manipulation():
# test using a double signature created using Adobe Reader
# (uses object streams, XMP metadata updates and all the fun stuff)
infile = BytesIO(
read_all(PDF_DATA_DIR + '/minimal-two-fields-signed-twice.pdf'))
bogus = b'This is bogus data, yay!'
def do_check():
r = PdfFileReader(out)
print(r.get_object(generic.Reference(2, 0, r), revision=3).data)
s = r.embedded_signatures[0]
status = validate_pdf_signature(s)
assert status.modification_level == ModificationLevel.OTHER
w = IncrementalPdfFileWriter(infile)
w.root['/Metadata'] = w.add_object(generic.StreamObject(stream_data=bogus))
w.update_root()
out = BytesIO()
w.write(out)
do_check()
w = IncrementalPdfFileWriter(infile)
metadata_ref = w.root.raw_get('/Metadata')
metadata_stream: generic.StreamObject = metadata_ref.get_object()
metadata_stream.strip_filters()
metadata_stream._data = bogus
metadata_stream._encoded_data = None
w.mark_update(metadata_ref)
out = BytesIO()
w.write(out)
do_check()
w = IncrementalPdfFileWriter(infile)
w.root['/Metadata'] = generic.NullObject()
w.update_root()
out = BytesIO()
w.write(out)
do_check()
w = IncrementalPdfFileWriter(infile)
w.root['/Metadata'] = w.add_object(generic.NullObject())
w.update_root()
out = BytesIO()
w.write(out)
do_check()
def test_double_sig_adobe_reader(infile_name):
# test using a double signature created using Adobe Reader
# (uses object streams, XMP metadata updates and all the fun stuff)
# One file has two prepared form fields, signed one by one by Adobe Reader.
# The other file has one prepared form field, signed by Adobe Reader,
# and the second signature occupies a form field that was created on the fly
# by Adobe Reader.
# The last one involves a double signature where both fields were created
# by Adobe Reader.
infile = BytesIO(read_all('%s/%s' % (PDF_DATA_DIR, infile_name)))
r = PdfFileReader(infile)
s = r.embedded_signatures[0]
status = val_untrusted(s, extd=True)
assert status.modification_level == ModificationLevel.FORM_FILLING
assert status.docmdp_ok
s = r.embedded_signatures[1]
val_untrusted(s)
certs_to_embed=FROM_CA.cert_registry)
DUMMY_TS2 = timestamps.DummyTimeStamper(
tsa_cert=TSA2_CERT,
tsa_key=TESTING_CA.key_set.get_private_key('tsa2'),
certs_to_embed=FROM_CA.cert_registry)
DUMMY_HTTP_TS = timestamps.HTTPTimeStamper(
'http://pyhanko.tests/testing-ca/tsa/tsa', https=False)
DUMMY_HTTP_TS_VARIANT = timestamps.HTTPTimeStamper(
'http://pyhanko.tests/unrelated-tsa/tsa/tsa', https=False)
# with the testing CA setup update, this OCSP response is totally
# unrelated to the keys being used, so it should fail any sort of real
# validation
FIXED_OCSP = ocsp.OCSPResponse.load(
read_all(CRYPTO_DATA_DIR + '/ocsp.resp.der'))
DUMMY_POLICY_ID = SignaturePolicyId({
'sig_policy_id':
'2.999',
'sig_policy_hash':
DigestInfo({
'digest_algorithm': DigestAlgorithm({'algorithm': 'sha256'}),
'digest': hashlib.sha256().digest()
})
})
def dummy_ocsp_vc():
cr = FROM_CA.cert_registry
assert isinstance(cr, SimpleCertificateStore)
vc = ValidationContext(trust_roots=TRUST_ROOTS,