main
1# frozen_string_literal: true
2
3RSpec.describe Xml::Kit::Document do
4 describe '#valid_signature?' do
5 let(:signed_xml) { Item.new.to_xml }
6
7 context 'when the signature is valid' do
8 subject { described_class.new(signed_xml) }
9
10 specify { expect(subject).to be_valid }
11 end
12
13 context 'when the SHA1 digest is not valid' do
14 subject { described_class.new(signed_xml.gsub('Item', 'uhoh')) }
15
16 before { subject.valid? }
17
18 specify { expect(subject).not_to be_valid }
19 specify { expect(subject.errors[:digest_value]).to be_present }
20 end
21
22 context 'when the digest is incorrect' do
23 subject { described_class.new(signed_xml.gsub(old_digest, 'sabotage')) }
24
25 let(:old_digest) { Hash.from_xml(signed_xml)['Item']['Signature']['SignedInfo']['Reference']['DigestValue'] }
26
27 before { subject.valid? }
28
29 specify { expect(subject).not_to be_valid }
30 specify { expect(subject.errors[:digest_value]).to be_present }
31 end
32
33 context 'when the signature is invalid' do
34 subject { described_class.new(signed_xml.gsub(old_signature, 'sabotage')) }
35
36 let(:old_signature) { Hash.from_xml(signed_xml)['Item']['Signature']['SignatureValue'] }
37
38 before { subject.valid? }
39
40 specify { expect(subject).not_to be_valid }
41 specify { expect(subject.errors[:signature]).to be_present }
42 end
43
44 context 'when the certificate is expired' do
45 let(:expired_certificate) do
46 certificate = OpenSSL::X509::Certificate.new
47 certificate.public_key = private_key.public_key
48 certificate.not_before = 1.day.ago
49 certificate.not_after = 1.second.ago
50 certificate
51 end
52 let(:private_key) { OpenSSL::PKey::RSA.new(2048) }
53 let(:digest_algorithm) { OpenSSL::Digest::SHA256.new }
54 let(:item) { Item.new }
55
56 before do
57 expired_certificate.sign(private_key, digest_algorithm)
58 end
59
60 specify do
61 certificate = ::Xml::Kit::Certificate.new(expired_certificate)
62 item.sign_with(certificate.to_key_pair(private_key))
63 subject = described_class.new(item.to_xml)
64 expect(subject).to be_invalid
65 expect(subject.errors[:certificate]).to be_present
66 end
67 end
68 end
69end