feat: fetch OCSP wasm (#1402)

Make ocsp_fetch available as async.

Add ocsp_fetch for Wasm. as with fetching the manifest, the browser through wasm-bindgen only supports async HTTP GET. WASI supports synchronous and asynchronous fetching.

Remove Actix as a dependency. Actix for our purposes is redundant with tokio, which is used for most async tests. The c2pa_test_async macro can be used for these tests. I can break this part up into another PR if that's easier.

Author: cdmurph32

sdk/src/builder.rs

@@ -1608,7 +1608,10 @@ mod tests {
         crypto::raw_signature::SigningAlg,
         hash_stream_by_alg,
         settings::Settings,
-        utils::{test::write_jpeg_placeholder_stream, test_signer::test_signer},
+        utils::{
+            test::write_jpeg_placeholder_stream,
+            test_signer::{async_test_signer, test_signer},
+        },
         validation_results::ValidationState,
         HashedUri, Reader,
     };
@@ -2903,6 +2906,53 @@ mod tests {
         assert_eq!(parent.assertions().len(), 1);
     }
 
+    #[c2pa_test_async]
+    async fn test_redaction_async() {
+        Settings::from_toml(include_str!("../tests/fixtures/test_settings.toml")).unwrap();
+
+        // the label of the assertion we are going to redact
+        const ASSERTION_LABEL: &str = "stds.schema-org.CreativeWork";
+
+        let mut input = Cursor::new(TEST_IMAGE);
+
+        let parent = Reader::from_stream_async("image/jpeg", &mut input)
+            .await
+            .expect("from_stream");
+        let parent_manifest_label = parent.active_label().unwrap();
+        // Create a redacted uri for the assertion we are going to redact.
+        let redacted_uri =
+            crate::jumbf::labels::to_assertion_uri(parent_manifest_label, ASSERTION_LABEL);
+
+        let mut builder = Builder::edit();
+        builder.definition.redactions = Some(vec![redacted_uri.clone()]);
+
+        let redacted_action = crate::assertions::Action::new("c2pa.redacted")
+            .set_reason("testing".to_owned())
+            .set_parameter("redacted".to_owned(), redacted_uri.clone())
+            .unwrap();
+
+        builder.add_action(redacted_action).unwrap();
+
+        let signer = async_test_signer(SigningAlg::Ps256);
+        // Embed a manifest using the signer.
+        let mut output = Cursor::new(Vec::new());
+        builder
+            .sign_async(signer.as_ref(), "image/jpeg", &mut input, &mut output)
+            .await
+            .expect("builder sign");
+
+        output.set_position(0);
+
+        let reader = Reader::from_stream_async("image/jpeg", &mut output)
+            .await
+            .expect("from_bytes");
+        //println!("{reader}");
+        let m = reader.active_manifest().unwrap();
+        assert_eq!(m.ingredients().len(), 1);
+        let parent = reader.get_manifest(parent_manifest_label).unwrap();
+        assert_eq!(parent.assertions().len(), 1);
+    }
+
     #[test]
     fn test_supported_mime_types() {
         let mime_types = Builder::supported_mime_types();

sdk/src/cose_sign.rs

@@ -274,7 +274,6 @@ impl AsyncTimeStampProvider for AsyncSignerWrapper<'_> {
 mod tests {
     #![allow(clippy::unwrap_used)]
 
-    // Only used for test with file_io
     use c2pa_macros::c2pa_test_async;
     #[cfg(all(target_arch = "wasm32", not(target_os = "wasi")))]
     use wasm_bindgen_test::wasm_bindgen_test;

sdk/src/crypto/cose/mod.rs

@@ -32,8 +32,8 @@ mod error;
 pub use error::CoseError;
 
 mod ocsp;
-pub(crate) use ocsp::fetch_and_check_ocsp_response;
 pub use ocsp::{check_ocsp_status, check_ocsp_status_async, get_ocsp_der, OcspFetchPolicy};
+pub(crate) use ocsp::{fetch_and_check_ocsp_response, fetch_and_check_ocsp_response_async};
 
 mod sign;
 pub use sign::{sign, sign_async, sign_v2_embedded, sign_v2_embedded_async, CosePayload};

sdk/src/crypto/cose/ocsp.rs

@@ -12,19 +12,15 @@
 // each license.
 
 use async_generic::async_generic;
+use chrono::{DateTime, Utc};
 use ciborium::value::Value;
 use coset::{CoseSign1, Label};
-#[cfg(not(target_arch = "wasm32"))]
-use {
-    crate::crypto::cose::cert_chain_from_sign1,
-    chrono::{DateTime, Utc},
-};
 
 use crate::{
     crypto::{
         asn1::rfc3161::TstInfo,
         cose::{
-            check_end_entity_certificate_profile, validate_cose_tst_info,
+            cert_chain_from_sign1, check_end_entity_certificate_profile, validate_cose_tst_info,
             validate_cose_tst_info_async, CertificateTrustError, CertificateTrustPolicy, CoseError,
         },
         ocsp::OcspResponse,
@@ -101,7 +97,12 @@ pub fn check_ocsp_status(
 
         None => match fetch_policy {
             OcspFetchPolicy::FetchAllowed => {
-                fetch_and_check_ocsp_response(sign1, data, ctp, tst_info, validation_log)
+                if _sync {
+                    fetch_and_check_ocsp_response(sign1, data, ctp, tst_info, validation_log)
+                } else {
+                    fetch_and_check_ocsp_response_async(sign1, data, ctp, tst_info, validation_log)
+                        .await
+                }
             }
             OcspFetchPolicy::DoNotFetch => {
                 if let Some(ocsp_response_ders) = ocsp_responses {
@@ -276,54 +277,53 @@ fn check_stapled_ocsp_response(
 }
 
 /// Fetches and validates an OCSP response for the given COSE signature.
-// TO DO: Add async version of this?
+#[async_generic()]
+#[allow(unreachable_code)] // wasm-bindgen will immediately return error for synchronous use.
+#[allow(unused_variables)]
 pub(crate) fn fetch_and_check_ocsp_response(
     sign1: &CoseSign1,
     data: &[u8],
     ctp: &CertificateTrustPolicy,
     _tst_info: Option<&TstInfo>,
     validation_log: &mut StatusTracker,
 ) -> Result<OcspResponse, CoseError> {
-    #[cfg(target_arch = "wasm32")]
-    {
-        let _ = (sign1, data, ctp, validation_log);
-        Ok(OcspResponse::default())
-    }
+    let certs = cert_chain_from_sign1(sign1)?;
 
-    #[cfg(not(target_arch = "wasm32"))]
-    {
-        let certs = cert_chain_from_sign1(sign1)?;
-
-        let Some(ocsp_der) = crate::crypto::ocsp::fetch_ocsp_response(&certs) else {
-            return Ok(OcspResponse::default());
-        };
+    let ocsp_der: Vec<u8> = if _sync {
+        match crate::crypto::ocsp::fetch_ocsp_response(&certs) {
+            Some(der) => der,
+            None => return Ok(OcspResponse::default()),
+        }
+    } else {
+        match crate::crypto::ocsp::fetch_ocsp_response_async(&certs).await {
+            Some(der) => der,
+            None => return Ok(OcspResponse::default()),
+        }
+    };
 
-        let ocsp_response_der = ocsp_der;
+    let ocsp_response_der = ocsp_der;
 
-        let signing_time: Option<DateTime<Utc>> =
-            validate_cose_tst_info(sign1, data, ctp, validation_log)
-                .ok()
-                .map(|tst_info| tst_info.gen_time.clone().into());
+    let signing_time: Option<DateTime<Utc>> =
+        validate_cose_tst_info(sign1, data, ctp, validation_log)
+            .ok()
+            .map(|tst_info| tst_info.gen_time.clone().into());
 
-        // Check the OCSP response, but only if it is well-formed.
-        // Revocation errors are reported in the validation log.
-        let Ok(ocsp_data) =
-            OcspResponse::from_der_checked(&ocsp_response_der, signing_time, validation_log)
-        else {
-            // TO REVIEW: This is how the old code worked, but is it correct to ignore a
-            // malformed OCSP response?
-            return Ok(OcspResponse::default());
+    // Check the OCSP response, but only if it is well-formed.
+    // Revocation errors are reported in the validation log.
+    let ocsp_data =
+        match OcspResponse::from_der_checked(&ocsp_response_der, signing_time, validation_log) {
+            Ok(data) => data,
+            Err(_) => return Ok(OcspResponse::default()),
         };
 
-        // If we get a valid response validate the certs.
-        if ocsp_data.revoked_at.is_none() {
-            if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
-                check_end_entity_certificate_profile(&ocsp_certs[0], ctp, validation_log, None)?;
-            }
+    // If we get a valid response validate the certs.
+    if ocsp_data.revoked_at.is_none() {
+        if let Some(ocsp_certs) = &ocsp_data.ocsp_certs {
+            check_end_entity_certificate_profile(&ocsp_certs[0], ctp, validation_log, None)?;
         }
-
-        Ok(ocsp_data)
     }
+
+    Ok(ocsp_data)
 }
 
 /// Returns the DER-encoded OCSP response from the "rVals" unprotected header in a COSE_Sign1 message.