c2pa 0.80.3

Rust SDK for C2PA (Coalition for Content Provenance and Authenticity) implementors
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

mod common;
use std::io::Cursor;

use c2pa::{
    assertions::DataHash, validation_status, Builder, BuilderIntent, Error, HashRange, Reader,
    Result,
};
use common::{fixture_stream, test_context};

#[test]
fn test_reader_ts_changed() -> Result<()> {
    let (format, mut stream) = fixture_stream("CA_ct.jpg")?;
    let reader = Reader::default().with_stream(&format, &mut stream).unwrap();
    // in the older validation statuses, this was an error, but now it is informational
    assert_eq!(
        reader
            .validation_results()
            .unwrap()
            .active_manifest()
            .unwrap()
            .informational[0]
            .code(),
        validation_status::TIMESTAMP_MALFORMED
    );

    Ok(())
}

#[test]
fn test_bad_data_hash() -> Result<()> {
    let context = test_context().into_shared();

    const TEST_IMAGE: &[u8] = include_bytes!("fixtures/CA.jpg");
    let format = "image/jpeg";
    let mut source = Cursor::new(TEST_IMAGE);

    let mut builder = Builder::from_shared_context(&context);
    builder.set_intent(BuilderIntent::Edit);

    use c2pa::assertions::Action;
    builder.add_action(Action::new("c2pa.published"))?;

    builder.add_action(serde_json::json!({
        "action": "c2pa.edited",
        "parameters": {
            "description": "edited",
            "name": "any value"
        },
        "softwareAgent": {
            "name": "TestApp",
            "version": "1.0.0"
        }
    }))?;

    // add empty data hash
    let empty_hash =
        hex::decode("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
            .expect("Invalid hex");

    let mut malicious_data_hash = DataHash::new("malicious", "sha256");
    malicious_data_hash.exclusions = Some(vec![HashRange::new(0, 0)]); // THE EXPLOIT!
    malicious_data_hash.set_hash(empty_hash.clone());

    builder.add_assertion("c2pa.hash.data", &malicious_data_hash)?;

    let mut dest = Cursor::new(Vec::new());

    let result = builder.sign(context.signer()?, format, &mut source, &mut dest);
    assert!(matches!(result, Err(Error::HashMismatch(..))));

    Ok(())
}