From 69b939c707c38be9e1ca1e671560ff385729a2d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Eric=20Janouch?= <p@janouch.name>
Date: Wed, 28 Jun 2023 23:12:42 +0200
Subject: [PATCH] Fix tests, document new limitation

---
 README.adoc |  3 ++-
 test.sh     | 17 +++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/README.adoc b/README.adoc
index 50dc9e6..0a5c3fa 100644
--- a/README.adoc
+++ b/README.adoc
@@ -2,7 +2,8 @@ pdf-simple-sign
 ===============
 
 'pdf-simple-sign' is a simple PDF signer intended for documents produced by
-the Cairo library, GNU troff, ImageMagick, or similar.
+the Cairo library (≤ 1.17.4 or using PDF 1.4), GNU troff, ImageMagick,
+or similar.
 
 I don't aim to extend the functionality any further.  The project is fairly
 self-contained and it should be easy to grasp and change to suit to your needs.
diff --git a/test.sh b/test.sh
index f87d525..52fccaa 100755
--- a/test.sh
+++ b/test.sh
@@ -11,7 +11,8 @@ mkdir tmp
 
 # Create documents in various tools
 log "Creating source documents"
-inkscape --pipe --export-filename=tmp/cairo.pdf <<'EOF' 2>/dev/null || :
+inkscape --pipe --export-filename=tmp/cairo.pdf --export-pdf-version=1.4 \
+<<'EOF' 2>/dev/null || :
 <svg xmlns="http://www.w3.org/2000/svg"><text x="5" y="10">Hello</text></svg>
 EOF
 
@@ -45,7 +46,11 @@ openssl x509 -req -in tmp/cert.csr -out tmp/cert.pem \
 	-CA tmp/ca.cert.pem -CAkey tmp/ca.key.pem -set_serial 1 \
 	-extensions smime -extfile tmp/cert.cfg 2>/dev/null
 openssl verify -CAfile tmp/ca.cert.pem tmp/cert.pem >/dev/null
+
+# The second line accomodates the Go signer,
+# which doesn't support SHA-256 within pkcs12 handling
 openssl pkcs12 -inkey tmp/key.pem -in tmp/cert.pem \
+	-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1 \
 	-export -passout pass: -out tmp/key-pair.p12
 
 for tool in "$@"; do
@@ -55,6 +60,11 @@ for tool in "$@"; do
 		result=${source%.pdf}.signed.pdf
 		$tool "$source" "$result" tmp/key-pair.p12 ""
 		pdfsig -nssdir sql:tmp/nssdir "$result" | grep Validation
+
+		# Only some of our generators use PDF versions higher than 1.5
+		log "Testing $tool for version detection"
+		grep -q "/Version /1.6" "$result" || grep -q "^%PDF-1.6" "$result" \
+			|| die "Version detection seems to misbehave (no upgrade)"
 	done
 
 	log "Testing $tool for expected failures"
@@ -63,11 +73,6 @@ for tool in "$@"; do
 	$tool -r 1 "$source" "$source.fail.pdf" tmp/key-pair.p12 "" \
 		&& die "Too low reservations shouldn't succeed"
 
-	# Our generators do not use PDF versions higher than 1.5
-	log "Testing $tool for version detection"
-	grep -q "/Version /1.6" "$result" \
-		|| die "Version detection seems to misbehave (no upgrade)"
-
 	sed '1s/%PDF-1../%PDF-1.7/' "$source" > "$source.alt"
 	$tool "$source.alt" "$result.alt" tmp/key-pair.p12 ""
 	grep -q "/Version /1.6" "$result.alt" \