Merge pull request #5724 from LibreSign/backport/5722/stable31

vitormattos · web-flow · commit 2f3df728e5c3 · 2025-11-02T09:40:12.000-03:00
[stable31] feat: return more data from validation endpoint
diff --git a/lib/Service/FileService.php b/lib/Service/FileService.php
@@ -438,84 +438,75 @@ private function loadLibreSignSigners(): void {
 	private function loadSignersFromCertData(): void {
 		$this->loadCertDataFromLibreSignFile();
 		foreach ($this->certData as $index => $signer) {
-			if (!empty($signer['chain'][0]['name'])) {
-				$this->fileData->signers[$index]['subject'] = $signer['chain'][0]['name'];
-			}
-			if (!empty($signer['chain'][0]['field'])) {
-				$this->fileData->signers[$index]['field'] = $signer['chain'][0]['field'];
-			}
-			if (!empty($signer['chain'][0]['validFrom_time_t'])) {
-				$this->fileData->signers[$index]['valid_from'] = (new DateTime('@' . $signer['chain'][0]['validFrom_time_t'], new \DateTimeZone('UTC')))->format(DateTimeInterface::ATOM);
-			}
-			if (!empty($signer['chain'][0]['validTo_time_t'])) {
-				$this->fileData->signers[$index]['valid_to'] = (new DateTime('@' . $signer['chain'][0]['validTo_time_t'], new \DateTimeZone('UTC')))->format(DateTimeInterface::ATOM);
+			if (isset($signer['timestamp'])) {
+				$this->fileData->signers[$index]['timestamp'] = $signer['timestamp'];
+				if (isset($signer['timestamp']['genTime']) && $signer['timestamp']['genTime'] instanceof DateTimeInterface) {
+					$this->fileData->signers[$index]['timestamp']['genTime'] = $signer['timestamp']['genTime']->format(DateTimeInterface::ATOM);
+				}
 			}
-			if (!empty($signer['signingTime'])) {
+			if (isset($signer['signingTime']) && $signer['signingTime'] instanceof DateTimeInterface) {
+				$this->fileData->signers[$index]['signingTime'] = $signer['signingTime'];
 				$this->fileData->signers[$index]['signed'] = $signer['signingTime']->format(DateTimeInterface::ATOM);
 			}
-			$this->fileData->signers[$index]['signature_validation'] = $signer['chain'][0]['signature_validation'];
-			if (!empty($signer['chain'][0]['certificate_validation'])) {
-				$this->fileData->signers[$index]['certificate_validation'] = $signer['chain'][0]['certificate_validation'];
-			}
-			if (!empty($signer['chain'][0]['signatureTypeSN'])) {
-				$this->fileData->signers[$index]['hash_algorithm'] = $signer['chain'][0]['signatureTypeSN'];
+			foreach ($signer['chain'] as $chainIndex => $chainItem) {
+				$chainArr = $chainItem;
+				if (isset($chainItem['validFrom_time_t']) && is_numeric($chainItem['validFrom_time_t'])) {
+					$chainArr['valid_from'] = (new DateTime('@' . $chainItem['validFrom_time_t'], new \DateTimeZone('UTC')))->format(DateTimeInterface::ATOM);
+				}
+				if (isset($chainItem['validTo_time_t']) && is_numeric($chainItem['validTo_time_t'])) {
+					$chainArr['valid_to'] = (new DateTime('@' . $chainItem['validTo_time_t'], new \DateTimeZone('UTC')))->format(DateTimeInterface::ATOM);
+				}
+				$chainArr['displayName'] = $chainArr['name'] ?? ($chainArr['subject']['CN'] ?? '');
+				$this->fileData->signers[$index]['chain'][$chainIndex] = $chainArr;
+				if ($chainIndex === 0) {
+					$this->fileData->signers[$index] = array_merge($chainArr, $this->fileData->signers[$index] ?? []);
+					$this->fileData->signers[$index]['uid'] = $this->resolveUid($chainArr);
+				}
 			}
-			if (!empty($signer['chain'][0]['subject']['UID'])) {
-				$this->fileData->signers[$index]['uid'] = $signer['chain'][0]['subject']['UID'];
-			} elseif (!empty($signer['chain'][0]['subject']['CN']) && preg_match('/^(?<key>.*):(?<value>.*), /', (string)$signer['chain'][0]['subject']['CN'], $matches)) {
-				// Used by CFSSL
-				$this->fileData->signers[$index]['uid'] = $matches['key'] . ':' . $matches['value'];
-			} elseif (!empty($signer['chain'][0]['extensions']['subjectAltName'])) {
-				// Used by old certs of LibreSign
-				preg_match('/^(?<key>(email|account)):(?<value>.*)$/', (string)$signer['chain'][0]['extensions']['subjectAltName'], $matches);
-				if ($matches) {
-					if (str_ends_with($matches['value'], $this->host)) {
-						$uid = str_replace('@' . $this->host, '', $matches['value']);
-						$userFound = $this->userManager->get($uid);
+		}
+	}
+
+	private function resolveUid(array $chainArr): ?string {
+		if (!empty($chainArr['subject']['UID'])) {
+			return $chainArr['subject']['UID'];
+		}
+		if (!empty($chainArr['subject']['CN']) && preg_match('/^(?<key>.*):(?<value>.*), /', (string)$chainArr['subject']['CN'], $matches)) {
+			return $matches['key'] . ':' . $matches['value'];
+		}
+		if (!empty($chainArr['extensions']['subjectAltName'])) {
+			preg_match('/^(?<key>(email|account)):(?<value>.*)$/', (string)$chainArr['extensions']['subjectAltName'], $matches);
+			if ($matches) {
+				if (str_ends_with($matches['value'], $this->host)) {
+					$uid = str_replace('@' . $this->host, '', $matches['value']);
+					$userFound = $this->userManager->get($uid);
+					if ($userFound) {
+						return 'account:' . $uid;
+					} else {
+						$userFound = $this->userManager->getByEmail($matches['value']);
 						if ($userFound) {
-							$this->fileData->signers[$index]['uid'] = 'account:' . $uid;
+							$userFound = current($userFound);
+							return 'account:' . $userFound->getUID();
 						} else {
-							$userFound = $this->userManager->getByEmail($matches['value']);
-							if ($userFound) {
-								$userFound = current($userFound);
-								$this->fileData->signers[$index]['uid'] = 'account:' . $userFound->getUID();
-							} else {
-								$this->fileData->signers[$index]['uid'] = 'email:' . $matches['value'];
-							}
+							return 'email:' . $matches['value'];
 						}
+					}
+				} else {
+					$userFound = $this->userManager->getByEmail($matches['value']);
+					if ($userFound) {
+						$userFound = current($userFound);
+						return 'account:' . $userFound->getUID();
 					} else {
-						$userFound = $this->userManager->getByEmail($matches['value']);
+						$userFound = $this->userManager->get($matches['value']);
 						if ($userFound) {
-							$userFound = current($userFound);
-							$this->fileData->signers[$index]['uid'] = 'account:' . $userFound->getUID();
+							return 'account:' . $userFound->getUID();
 						} else {
-							$userFound = $this->userManager->get($matches['value']);
-							if ($userFound) {
-								$this->fileData->signers[$index]['uid'] = 'account:' . $userFound->getUID();
-							} else {
-								$this->fileData->signers[$index]['uid'] = $matches['key'] . ':' . $matches['value'];
-							}
+							return $matches['key'] . ':' . $matches['value'];
 						}
 					}
 				}
 			}
-			if (!empty($signer['chain'][0]['subject']['CN'])) {
-				$this->fileData->signers[$index]['displayName'] = $signer['chain'][0]['subject']['CN'];
-			} elseif (!empty($this->fileData->signers[$index]['uid'])) {
-				$this->fileData->signers[$index]['displayName'] = $this->fileData->signers[$index]['uid'];
-			}
-			if (!empty($signer['timestamp'])) {
-				$this->fileData->signers[$index]['timestamp'] = $signer['timestamp'];
-				if ($signer['timestamp']['genTime'] instanceof \DateTimeInterface) {
-					$this->fileData->signers[$index]['timestamp']['genTime'] = $signer['timestamp']['genTime']->format(DateTimeInterface::ATOM);
-				}
-			}
-			for ($i = 1; $i < count($signer['chain']); $i++) {
-				$this->fileData->signers[$index]['chain'][] = [
-					'displayName' => $signer['chain'][$i]['name'],
-				];
-			}
 		}
+		return null;
 	}
 
 	private function loadSigners(): void {
diff --git a/src/views/Validation.vue b/src/views/Validation.vue
@@ -255,13 +255,13 @@
 									{{ dateFromSqlAnsi(signer.valid_to) }}
 								</template>
 							</NcListItem>
-							<NcListItem v-if="signer.opened && signer.hash_algorithm"
+							<NcListItem v-if="signer.opened && signer.signatureTypeSN"
 								class="extra"
 								compact
 								:name="t('libresign', 'Hash algorithm:')">
 								<template #name>
 									<strong>{{ t('libresign', 'Hash algorithm:') }}</strong>
-									{{ signer.hash_algorithm }}
+									{{ signer.signatureTypeSN }}
 								</template>
 							</NcListItem>
 							<NcListItem v-if="signer.opened && signer.timestamp && signer.timestamp.displayName"
@@ -379,11 +379,11 @@
 								:name="t('libresign', 'Certificate chain:')">
 								<template #name>
 									<strong>{{ t('libresign', 'Certificate chain:') }}</strong>
-									{{ signer.subject }}
+									{{ signer.name }}
 								</template>
 							</NcListItem>
 							<div v-if="signer.opened && signer.chain">
-								<NcListItem v-for="(issuer, issuerIndex) in signer.chain"
+								<NcListItem v-for="(issuer, issuerIndex) in signer.chain.filter(i => i.serialNumber !== signer.serialNumber)"
 									:key="issuerIndex"
 									class="extra-chain"
 									compact
diff --git a/tests/integration/features/file/validate.feature b/tests/integration/features/file/validate.feature
@@ -34,9 +34,10 @@ Feature: validate
       | key                                           | value                                                                                                                |
       | (jq).ocs.data.signers[0].me                   | false                                                                                                                |
       | (jq).ocs.data.signers[0].identifyMethods      | [{"method": "account","value": "signer1","mandatory": 1}]                                                            |
-      | (jq).ocs.data.signers[0].subject              | /C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/UID=account:signer1/CN=signer1-displayname |
+      | (jq).ocs.data.signers[0].name                 | /C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/UID=account:signer1/CN=signer1-displayname |
+      | (jq).ocs.data.signers[0].subject              | {"C":"BR","ST":"State of Company","L":"City Name","O":"Organization","OU":"Organization Unit","UID":"account:signer1","CN":"signer1-displayname"} |
       | (jq).ocs.data.signers[0].signature_validation | {"id":1,"label":"Signature is valid."}                                                                               |
-      | (jq).ocs.data.signers[0].hash_algorithm       | RSA-SHA256                                                                                                           |
+      | (jq).ocs.data.signers[0].signatureTypeSN      | RSA-SHA256                                                                                                           |
 
   Scenario Outline: Unauthenticated user can fetch the validation ednpoint
     Given as user "admin"
diff --git a/tests/php/Unit/Service/FileServiceTest.php b/tests/php/Unit/Service/FileServiceTest.php
@@ -284,8 +284,15 @@ function (self $self, FileService $service): void {
 					'name' => 'small_valid.pdf',
 					'signers' => [
 						[
-							'displayName' => 'account:admin, admin',
-							'subject' => '/C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/CN=account:admin, admin',
+							'displayName' => '/C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/CN=account:admin, admin',
+							'subject' => [
+								'C' => 'BR',
+								'ST' => 'State of Company',
+								'L' => 'City Name',
+								'O' => 'Organization',
+								'OU' => 'Organization Unit',
+								'CN' => 'account:admin, admin',
+							],
 							'valid_from' => '2025-10-20T13:26:00+00:00',
 							'valid_to' => '2026-10-20T13:26:00+00:00',
 							'signed' => '2025-10-20T13:31:43+00:00',
@@ -298,11 +305,131 @@ function (self $self, FileService $service): void {
 								'id' => 3,
 								'label' => 'Certificate issuer is unknown.',
 							],
-							'hash_algorithm' => 'RSA-SHA256',
 							'field' => 'Signature1',
+							'name' => '/C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/CN=account:admin, admin',
+							'hash' => '4a5a1475',
+							'issuer' => [
+								'C' => 'BR',
+								'ST' => 'State of Company',
+								'L' => 'City Name',
+								'O' => 'Organization',
+								'OU' => 'Organization Unit',
+								'CN' => 'Common Name',
+							],
+							'version' => 2,
+							'serialNumber' => '0x4700D96F34F501CF0EA141E75F20643844393FFF',
+							'serialNumberHex' => '4700D96F34F501CF0EA141E75F20643844393FFF',
+							'validFrom' => '251020132600Z',
+							'validTo' => '261020132600Z',
+							'validFrom_time_t' => 1760966760,
+							'validTo_time_t' => 1792502760,
+							'signatureTypeSN' => 'RSA-SHA256',
+							'signatureTypeLN' => 'sha256WithRSAEncryption',
+							'signatureTypeNID' => 668,
+							'purposes' => [
+								1 => [true, false, 'sslclient'],
+								2 => [false, false, 'sslserver'],
+								3 => [false, false, 'nssslserver'],
+								4 => [true, false, 'smimesign'],
+								5 => [true, false, 'smimeencrypt'],
+								6 => [false, false, 'crlsign'],
+								7 => [true, true, 'any'],
+								8 => [true, false, 'ocsphelper'],
+								9 => [false, false, 'timestampsign'],
+							],
+							'extensions' => [
+								'subjectAltName' => 'email:admin@email.tld',
+								'basicConstraints' => 'CA:FALSE',
+								'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
+								'extendedKeyUsage' => 'TLS Web Client Authentication, E-mail Protection',
+								'subjectKeyIdentifier' => '76:21:81:44:79:1F:DC:85:E0:24:A1:1D:AA:8C:43:5B:0B:45:F9:48',
+								'authorityKeyIdentifier' => '9D:6C:97:12:5D:29:8B:6D:C3:63:C0:0C:DF:28:99:18:81:17:61:69',
+							],
+							'isLibreSignRootCA' => false,
+							'range' => [
+								'offset1' => 0,
+								'length1' => 1311,
+								'offset2' => 31313,
+								'length2' => 32829,
+							],
+							'signingTime' => [
+								'date' => '2025-10-20 13:31:43.000000',
+								'timezone_type' => 1,
+								'timezone' => '+00:00',
+							],
+							'chain' => [
+								0 => [
+									'name' => '/C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/CN=account:admin, admin',
+									'subject' => [
+										'C' => 'BR',
+										'ST' => 'State of Company',
+										'L' => 'City Name',
+										'O' => 'Organization',
+										'OU' => 'Organization Unit',
+										'CN' => 'account:admin, admin',
+									],
+									'hash' => '4a5a1475',
+									'issuer' => [
+										'C' => 'BR',
+										'ST' => 'State of Company',
+										'L' => 'City Name',
+										'O' => 'Organization',
+										'OU' => 'Organization Unit',
+										'CN' => 'Common Name',
+									],
+									'version' => 2,
+									'serialNumber' => '0x4700D96F34F501CF0EA141E75F20643844393FFF',
+									'serialNumberHex' => '4700D96F34F501CF0EA141E75F20643844393FFF',
+									'validFrom' => '251020132600Z',
+									'validTo' => '261020132600Z',
+									'validFrom_time_t' => 1760966760,
+									'validTo_time_t' => 1792502760,
+									'signatureTypeSN' => 'RSA-SHA256',
+									'signatureTypeLN' => 'sha256WithRSAEncryption',
+									'signatureTypeNID' => 668,
+									'purposes' => [
+										1 => [true, false, 'sslclient'],
+										2 => [false, false, 'sslserver'],
+										3 => [false, false, 'nssslserver'],
+										4 => [true, false, 'smimesign'],
+										5 => [true, false, 'smimeencrypt'],
+										6 => [false, false, 'crlsign'],
+										7 => [true, true, 'any'],
+										8 => [true, false, 'ocsphelper'],
+										9 => [false, false, 'timestampsign'],
+									],
+									'extensions' => [
+										'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
+										'extendedKeyUsage' => 'TLS Web Client Authentication, E-mail Protection',
+										'basicConstraints' => 'CA:FALSE',
+										'subjectKeyIdentifier' => '76:21:81:44:79:1F:DC:85:E0:24:A1:1D:AA:8C:43:5B:0B:45:F9:48',
+										'authorityKeyIdentifier' => '9D:6C:97:12:5D:29:8B:6D:C3:63:C0:0C:DF:28:99:18:81:17:61:69',
+										'subjectAltName' => 'email:admin@email.tld',
+									],
+									'signature_validation' => [
+										'id' => 1,
+										'label' => 'Signature is valid.',
+									],
+									'isLibreSignRootCA' => false,
+									'field' => 'Signature1',
+									'range' => [
+										'offset1' => 0,
+										'length1' => 1311,
+										'offset2' => 31313,
+										'length2' => 32829,
+									],
+									'certificate_validation' => [
+										'id' => 3,
+										'label' => 'Certificate issuer is unknown.',
+									],
+									'valid_from' => '2025-10-20T13:26:00+00:00',
+									'valid_to' => '2026-10-20T13:26:00+00:00',
+									'displayName' => '/C=BR/ST=State of Company/L=City Name/O=Organization/OU=Organization Unit/CN=account:admin, admin',
+								],
+							],
 						],
 					],
-				]
+				],
 			],
 		];
 	}
