From 99341e773f8cfd0594ca956a701dcc15bd22df5c Mon Sep 17 00:00:00 2001 From: Pete Matsyburka Date: Wed, 1 May 2024 23:40:09 +0300 Subject: [PATCH] refactor sign params --- .../verify_pdf_signature_controller.rb | 3 ++- lib/accounts.rb | 6 ++++- lib/docuseal.rb | 11 +++++++++ lib/generate_certificate.rb | 6 ++++- lib/submissions/generate_audit_trail.rb | 10 +------- .../generate_result_attachments.rb | 24 ++++++++++++------- 6 files changed, 40 insertions(+), 20 deletions(-) diff --git a/app/controllers/verify_pdf_signature_controller.rb b/app/controllers/verify_pdf_signature_controller.rb index 92514a12..dbd39021 100644 --- a/app/controllers/verify_pdf_signature_controller.rb +++ b/app/controllers/verify_pdf_signature_controller.rb @@ -27,7 +27,8 @@ class VerifyPdfSignatureController < ApplicationController trusted_certs = [default_pkcs.certificate, *default_pkcs.ca_certs, *custom_certs.map(&:certificate), - *custom_certs.flat_map(&:ca_certs).compact] + *custom_certs.flat_map(&:ca_certs).compact, + *Docuseal.trusted_certs] render turbo_stream: turbo_stream.replace('result', partial: 'result', locals: { pdfs:, files: params[:files], trusted_certs: }) diff --git a/lib/accounts.rb b/lib/accounts.rb index 70c12555..b9943688 100644 --- a/lib/accounts.rb +++ b/lib/accounts.rb @@ -90,7 +90,11 @@ module Accounts def load_signing_pkcs(account) cert_data = if Docuseal.multitenant? - EncryptedConfig.find_by(account:, key: EncryptedConfig::ESIGN_CERTS_KEY)&.value || Docuseal::CERTS + data = EncryptedConfig.find_by(account:, key: EncryptedConfig::ESIGN_CERTS_KEY)&.value + + return Docuseal.default_pkcs if data.blank? + + data else EncryptedConfig.find_by(account:, key: EncryptedConfig::ESIGN_CERTS_KEY)&.value || EncryptedConfig.find_by(key: EncryptedConfig::ESIGN_CERTS_KEY).value diff --git a/lib/docuseal.rb b/lib/docuseal.rb index 4f2a3e71..25a9a4d1 100644 --- a/lib/docuseal.rb +++ b/lib/docuseal.rb @@ -60,6 +60,17 @@ module Docuseal ENV['ACTIVE_STORAGE_PUBLIC'] == 'true' end + def default_pkcs + @default_pkcs ||= GenerateCertificate.load_pkcs(Docuseal::CERTS) + end + + def trusted_certs + @trusted_certs ||= + ENV['TRUSTED_CERTS'].to_s.split("\n\n").map do |base64| + OpenSSL::X509::Certificate.new(base64) + end + end + def default_url_options return DEFAULT_URL_OPTIONS if multitenant? diff --git a/lib/generate_certificate.rb b/lib/generate_certificate.rb index 045136c9..e8463705 100644 --- a/lib/generate_certificate.rb +++ b/lib/generate_certificate.rb @@ -3,6 +3,8 @@ module GenerateCertificate SIZE = 2**11 + Pkcs12Struct = Struct.new(:certificate, :ca_certs, keyword_init: true) + module_function def call(name = Docuseal.product_name) @@ -89,10 +91,12 @@ module GenerateCertificate def load_pkcs(cert_data) cert = OpenSSL::X509::Certificate.new(cert_data['cert']) - key = OpenSSL::PKey::RSA.new(cert_data['key']) + key = OpenSSL::PKey::RSA.new(cert_data['key']) if cert_data['key'].present? sub_ca = OpenSSL::X509::Certificate.new(cert_data['sub_ca']) root_ca = OpenSSL::X509::Certificate.new(cert_data['root_ca']) + return Pkcs12Struct.new(certificate: cert, ca_certs: [sub_ca, root_ca]) unless key + OpenSSL::PKCS12.create( '', '', diff --git a/lib/submissions/generate_audit_trail.rb b/lib/submissions/generate_audit_trail.rb index 26d4d291..d9827df3 100644 --- a/lib/submissions/generate_audit_trail.rb +++ b/lib/submissions/generate_audit_trail.rb @@ -296,17 +296,9 @@ module Submissions sign_params = { reason: SIGN_REASON, - certificate: pkcs.certificate, - doc_mdp_permissions: :no_changes, - key: pkcs.key, - certificate_chain: pkcs.ca_certs || [] + **Submissions::GenerateResultAttachments.build_signing_params(pkcs, tsa_url) } - if tsa_url - sign_params[:timestamp_handler] = Submissions::TimestampHandler.new(tsa_url:) - sign_params[:signature_size] = 10_000 - end - composer.document.sign(io, **sign_params) ActiveStorage::Attachment.create!( diff --git a/lib/submissions/generate_result_attachments.rb b/lib/submissions/generate_result_attachments.rb index 80cf2ccf..ecba8d7a 100644 --- a/lib/submissions/generate_result_attachments.rb +++ b/lib/submissions/generate_result_attachments.rb @@ -304,16 +304,9 @@ module Submissions if sign_reason sign_params = { reason: sign_reason, - certificate: pkcs.certificate, - key: pkcs.key, - certificate_chain: pkcs.ca_certs || [] + **build_signing_params(pkcs, tsa_url) } - if tsa_url - sign_params[:timestamp_handler] = Submissions::TimestampHandler.new(tsa_url:) - sign_params[:signature_size] = 10_000 - end - begin pdf.sign(io, write_options: { validate: false }, **sign_params) rescue HexaPDF::MalformedPDFError => e @@ -342,6 +335,21 @@ module Submissions ) end + def build_signing_params(pkcs, tsa_url) + params = { + certificate: pkcs.certificate, + key: pkcs.key, + certificate_chain: pkcs.ca_certs || [] + } + + if tsa_url + params[:timestamp_handler] = Submissions::TimestampHandler.new(tsa_url:) + params[:signature_size] = 10_000 + end + + params + end + def images_pdf_uuid(attachments) Digest::UUID.uuid_v5(Digest::UUID::OID_NAMESPACE, attachments.map(&:uuid).sort.join(':')) end