Merge pull request #7403 from LibreSign/backport/7402/stable32

[stable32] fix: CRL disabled flow and signing error UX

Author: vitormattos

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -193,7 +193,10 @@ private function addCrlValidationInfo(array &$certData, string $certPem): void {
 				$certData['crl_revoked_at'] = $crlDetails['revoked_at'];
 			}
 		} else {
-			$certData['crl_validation'] = CrlValidationStatus::MISSING;
+			$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
+			$certData['crl_validation'] = $externalValidationEnabled
+				? CrlValidationStatus::MISSING
+				: CrlValidationStatus::DISABLED;
 			$certData['crl_urls'] = [];
 		}
 	}

lib/Service/Crl/CrlRevocationChecker.php

@@ -46,20 +46,33 @@ public function __construct(
 
 	/**
 	 * Validate a certificate against the CRL Distribution Points found in its
-	 * data. Returns an array with at least a 'status' key ({@see CrlValidationStatus})
+	 * data. Returns an array with a 'status' key (always {@see CrlValidationStatus})
 	 * and optionally 'revoked_at' (ISO 8601) when the certificate is revoked.
+	 *
+	 * @return array{status: CrlValidationStatus, revoked_at?: string}
 	 */
 	public function validate(array $crlUrls, string $certPem): array {
 		return $this->validateFromUrlsWithDetails($crlUrls, $certPem);
 	}
 
+	/**
+	 * Internal validation worker that iterates through CRL distribution points
+	 * and returns the validation status from the first accessible/conclusive point.
+	 *
+	 * @return array{status: CrlValidationStatus, revoked_at?: string}
+	 */
 	private function validateFromUrlsWithDetails(array $crlUrls, string $certPem): array {
+		$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
+
 		if (empty($crlUrls)) {
+			// When external validation is disabled, treat an empty distribution-point
+			// list the same as if all points were intentionally skipped.
+			if (!$externalValidationEnabled) {
+				return ['status' => CrlValidationStatus::DISABLED];
+			}
 			return ['status' => CrlValidationStatus::NO_URLS];
 		}
 
-		$externalValidationEnabled = $this->appConfig->getValueBool(Application::APP_ID, 'crl_external_validation_enabled', true);
-
 		$accessibleUrls = 0;
 		$disabledUrls = 0;
 		foreach ($crlUrls as $crlUrl) {
@@ -101,6 +114,11 @@ private function validateFromUrlsWithDetails(array $crlUrls, string $certPem): a
 		return ['status' => CrlValidationStatus::VALIDATION_FAILED];
 	}
 
+	/**
+	 * Download and validate CRL content from a single source URL.
+	 *
+	 * @return array{status: CrlValidationStatus, revoked_at?: string}
+	 */
 	private function downloadAndValidateWithDetails(string $crlUrl, string $certPem, bool $isLocal): array {
 		try {
 			if ($isLocal) {
@@ -221,6 +239,11 @@ protected function isSerialNumberInCrl(string $crlText, string $serialNumber): b
 		return preg_match('/Serial Number: 0*' . preg_quote($normalizedSerial, '/') . '/', $crlText) === 1;
 	}
 
+	/**
+	 * Check if certificate serial is revoked in the provided CRL content.
+	 *
+	 * @return array{status: CrlValidationStatus, revoked_at?: string}
+	 */
 	private function checkCertificateInCrlWithDetails(string $certPem, string $crlContent): array {
 		try {
 			$certResource = openssl_x509_read($certPem);

lib/Service/IdentifyMethod/SignatureMethod/Password.php

@@ -59,12 +59,31 @@ private function validateCertificateRevocation(array $certificateData): void {
 		if ($status === CrlValidationStatus::DISABLED) {
 			return;
 		}
-		// Any other status (urls_inaccessible, validation_failed, validation_error, etc.):
-		// fail-closed – we cannot confirm the certificate is not revoked.
-		throw new LibresignException(
-			$this->identifyService->getL10n()->t('Certificate revocation status could not be verified'),
-			422
-		);
+		$this->logRevocationBlockedSigning($status);
+		throw new LibresignException($this->getRevocationErrorMessage($status), 422);
+	}
+
+	private function logRevocationBlockedSigning(CrlValidationStatus $status): void {
+		$this->identifyService->getLogger()->warning('Signing blocked due to CRL validation status', [
+			'status' => $status->value,
+			'signer_uid' => $this->userSession->getUser()?->getUID(),
+		]);
+	}
+
+	private function getRevocationErrorMessage(CrlValidationStatus $status): string {
+		return match ($status) {
+			// TRANSLATORS Error when the CRL distribution points (URLs) cannot be reached to check if certificate is revoked
+			CrlValidationStatus::URLS_INACCESSIBLE => $this->identifyService->getL10n()->t('Cannot reach the certificate revocation service. Signing is not allowed.'),
+			// TRANSLATORS Error when an error occurs during certificate revocation status validation
+			CrlValidationStatus::VALIDATION_ERROR => $this->identifyService->getL10n()->t('An error occurred during certificate validation. Signing is not allowed.'),
+			// TRANSLATORS Error when certificate validation completed but could not determine if certificate is revoked
+			CrlValidationStatus::VALIDATION_FAILED => $this->identifyService->getL10n()->t('Certificate validation failed. Signing is not allowed. Contact your administrator.'),
+			// TRANSLATORS Error when certificate has no CRL distribution points (URLs to check revocation)
+			CrlValidationStatus::NO_URLS => $this->identifyService->getL10n()->t('This certificate has no revocation URLs. Signing is not allowed. Contact your administrator.'),
+			// TRANSLATORS Error when certificate has no revocation information configured
+			CrlValidationStatus::MISSING => $this->identifyService->getL10n()->t('This certificate has no revocation information. Signing is not allowed. Contact your administrator.'),
+			default => $this->identifyService->getL10n()->t('Certificate validation could not be completed. Signing is not allowed.'),
+		};
 	}
 
 	private function validateCertificateExpiration(array $certificateData): void {

playwright/e2e/sign-password-non-retriable-error.spec.ts

@@ -0,0 +1,142 @@
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { expect, test } from '@playwright/test'
+import { login } from '../support/nc-login'
+import { configureOpenSsl, deleteUserPfx, setAppConfig } from '../support/nc-provisioning'
+
+async function prepareSignFlow(page: Parameters<typeof test>[1] extends (args: infer T) => any ? T['page'] : never, adminUser: string) {
+	await page.goto('./apps/libresign')
+
+	await page.getByRole('button', { name: 'Upload from URL' }).click()
+	await page.getByRole('textbox', { name: 'URL of a PDF file' }).fill('https://raw.githubusercontent.com/LibreSign/libresign/main/tests/php/fixtures/pdfs/small_valid.pdf')
+	await page.getByRole('button', { name: 'Send' }).click()
+	await page.getByRole('button', { name: 'Add signer' }).click()
+	await page.getByPlaceholder('Account').fill(adminUser)
+	await page.getByText('admin@email.tld').click()
+	await page.getByRole('button', { name: 'Save' }).click()
+	await page.getByRole('button', { name: 'Request signatures' }).click()
+	await page.getByRole('button', { name: 'Send' }).click()
+	await page.getByRole('button', { name: 'Sign document' }).click()
+	await page.getByRole('button', { name: 'Define a password and sign the document.' }).click()
+	await page.getByLabel('Enter a password').fill('Password1234')
+	await page.getByRole('button', { name: 'Confirm' }).click()
+	await page.getByRole('button', { name: 'Sign the document.' }).click()
+	await page.getByLabel('Signature password').fill('Password1234')
+}
+
+async function bootstrapAdminCertificate(page: Parameters<typeof test>[1] extends (args: infer T) => any ? T['page'] : never) {
+	const adminUser = process.env.NEXTCLOUD_ADMIN_USER ?? 'admin'
+	const adminPassword = process.env.NEXTCLOUD_ADMIN_PASSWORD ?? 'admin'
+
+	await login(page.request, adminUser, adminPassword)
+
+	await configureOpenSsl(page.request, 'LibreSign Test', {
+		C: 'BR',
+		OU: ['Organization Unit'],
+		ST: 'Rio de Janeiro',
+		O: 'LibreSign',
+		L: 'Rio de Janeiro',
+	})
+
+	await setAppConfig(
+		page.request,
+		'libresign',
+		'identify_methods',
+		JSON.stringify([
+			{ name: 'account', enabled: true, mandatory: true, signatureMethods: { password: { enabled: true } } },
+			{ name: 'email', enabled: false, mandatory: false },
+		]),
+	)
+
+	await setAppConfig(
+		page.request,
+		'libresign',
+		'crl_external_validation_enabled',
+		'1',
+	)
+
+	await deleteUserPfx(page.request, adminUser, adminPassword)
+
+	return { adminUser }
+}
+
+test('switches from blocked (enabled) to normal (disabled) without extra scenarios', async ({ page }) => {
+	const { adminUser } = await bootstrapAdminCertificate(page)
+	await prepareSignFlow(page, adminUser)
+
+	const signRoute = '**/ocs/v2.php/apps/libresign/api/v1/sign/**'
+
+	const blockedHandler = async (route) => {
+		await route.fulfill({
+			status: 422,
+			contentType: 'application/json',
+			body: JSON.stringify({
+				ocs: {
+					meta: {
+						status: 'failure',
+						statuscode: 422,
+						message: 'Certificate revocation status could not be verified',
+					},
+					data: {
+						action: 0,
+						errors: [{
+							code: 422,
+							message: 'Certificate revocation status could not be verified',
+						}],
+					},
+				},
+			}),
+		})
+	}
+
+	await page.route(signRoute, blockedHandler)
+
+	await page.getByRole('button', { name: 'Sign document' }).click()
+
+	await expect(page.getByLabel('Signature password')).toBeHidden()
+	await expect(page.getByRole('button', { name: 'Sign the document.' })).toBeHidden()
+	await expect(page.getByRole('button', { name: 'Try signing again' })).toBeVisible()
+	await expect(page.locator('.button-wrapper').getByText('Certificate revocation status could not be verified').first()).toBeVisible()
+	await page.screenshot({ path: '/tmp/playwright-results/non-retriable-blocked-ui.png', fullPage: true })
+
+	await setAppConfig(
+		page.request,
+		'libresign',
+		'crl_external_validation_enabled',
+		'0',
+	)
+
+	await page.unroute(signRoute, blockedHandler)
+
+	await page.route(signRoute, async (route) => {
+		await route.fulfill({
+			status: 200,
+			contentType: 'application/json',
+			body: JSON.stringify({
+				ocs: {
+					meta: {
+						status: 'ok',
+						statuscode: 200,
+						message: null,
+					},
+					data: {
+						action: 0,
+						status: 'signed',
+					},
+				},
+			}),
+		})
+	})
+
+	await page.getByRole('button', { name: 'Try signing again' }).click()
+	await page.getByRole('button', { name: 'Sign the document.' }).click()
+	await page.getByLabel('Signature password').fill('Password1234')
+	await page.getByRole('button', { name: 'Sign document' }).click()
+
+	await expect(page.getByText('Signing is blocked until the certificate validation issue is resolved.')).toBeHidden()
+	await expect(page.getByRole('button', { name: 'Try signing again' })).toBeHidden()
+	await page.screenshot({ path: '/tmp/playwright-results/non-retriable-normal-ui.png', fullPage: true })
+})

src/tests/views/SignPDF/Sign.spec.ts

@@ -6,9 +6,10 @@
 import { beforeAll, beforeEach, describe, expect, it, vi } from 'vitest'
 import type { MockedFunction } from 'vitest'
 import { setActivePinia, createPinia } from 'pinia'
-import { mount } from '@vue/test-utils'
+import { flushPromises, mount } from '@vue/test-utils'
 import { useSignMethodsStore } from '../../../store/signMethods.js'
 import type { useSignStore } from '../../../store/sign.js'
+import { FILE_STATUS, SIGN_REQUEST_STATUS } from '../../../constants.js'
 
 type TokenMethodKey = 'smsToken' | 'whatsappToken' | 'signalToken' | 'telegramToken' | 'xmppToken'
 
@@ -509,6 +510,106 @@ describe('Sign.vue - signWithTokenCode', () => {
 			expect(context.signStore.setSigningErrors).toHaveBeenCalledWith(apiErrors)
 			expect(context.loading).toBe(false)
 		})
+
+		it('closes password modal when signing fails with non-retriable certificate error', async () => {
+			const apiErrors = [{ message: 'Certificate revocation status could not be verified', code: 422 }]
+			const context = {
+				loading: false,
+				elements: [],
+				canCreateSignature: false,
+				signRequestUuid: 'test-sign-request-uuid',
+				signMethodsStore: {
+					certificateEngine: 'openssl',
+				},
+				signatureElementsStore: {
+					signs: {},
+				},
+				actionHandler: {
+					showModal: vi.fn(),
+					closeModal: vi.fn(),
+				},
+				signStore: {
+					document: { id: 10 },
+					clearSigningErrors: vi.fn(),
+					setSigningErrors: vi.fn(),
+					submitSignature: vi.fn().mockRejectedValue({
+						type: 'signError',
+						errors: apiErrors,
+					}),
+				},
+				$emit: vi.fn(),
+				sidebarStore: {
+					hideSidebar: vi.fn(),
+				},
+			}
+
+			await submitSignatureCompatMethod.call(context, {
+				method: 'password',
+				token: '123456',
+			})
+
+			expect(context.actionHandler.closeModal).toHaveBeenCalledWith('password')
+			expect(context.signStore.setSigningErrors).toHaveBeenCalledWith(apiErrors)
+			expect(context.loading).toBe(false)
+		})
+
+		it('blocks sign CTA and shows explicit retry action when non-retriable error exists', async () => {
+			setActivePinia(createPinia())
+
+			const SignComponent = await import('../../../views/SignPDF/_partials/Sign.vue')
+			const realSign = SignComponent.default
+			const { useSignStore } = await import('../../../store/sign.js')
+
+			const mountedSignStore = useSignStore()
+			mountedSignStore.document = createSignDocument({
+				status: FILE_STATUS.ABLE_TO_SIGN,
+				signers: [{ me: true, status: SIGN_REQUEST_STATUS.ABLE_TO_SIGN, signRequestId: 501 }],
+				visibleElements: [],
+			})
+			mountedSignStore.setSigningErrors([
+				{ message: 'Certificate validation failed', code: 422 },
+			])
+
+			const wrapper = mount(realSign, {
+				global: {
+					stubs: {
+						NcButton: {
+							template: '<button><slot /></button>',
+						},
+						NcDialog: true,
+						NcLoadingIcon: true,
+						TokenManager: true,
+						EmailManager: true,
+						UploadCertificate: true,
+						Documents: true,
+						Signatures: true,
+						Draw: true,
+						ManagePassword: true,
+						CreatePassword: true,
+						NcNoteCard: {
+							template: '<div class="nc-note-card-stub"><slot /></div>',
+						},
+						NcPasswordField: true,
+						NcRichText: {
+							props: ['text'],
+							template: '<span>{{ text }}</span>',
+						},
+					},
+					mocks: {
+						$watch: vi.fn(),
+						$nextTick: vi.fn(),
+					},
+				},
+			})
+
+			await wrapper.vm.$nextTick()
+			await wrapper.vm.$nextTick()
+			await flushPromises()
+
+			expect(wrapper.text()).toContain('Try signing again')
+			expect(wrapper.text()).not.toContain('Sign the document.')
+			expect(wrapper.findAll('.nc-note-card-stub')).toHaveLength(1)
+		})
 	})
 
 	describe('proceedWithSigning - Full flow with WhatsApp token', () => {