From 52437a416c986761657e1ca6fa5a7a0e47dd21d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Tue, 22 Nov 2016 11:36:46 +0100
Subject: [PATCH] Fix verify module, add test case

---
 .travis.yml                                     | 12 ++++++++++++
 REQUIREMENTS                                    |  2 ++
 misp_modules/modules/event/verify.py            |  4 ++--
 tests/57c4445b-c548-4654-af0b-4be3950d210f.json |  1 +
 tests/gpg/test_org_gpg                          |  7 +++++++
 tests/test.py                                   | 15 +++++++++++++++
 6 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 tests/57c4445b-c548-4654-af0b-4be3950d210f.json
 create mode 100644 tests/gpg/test_org_gpg

diff --git a/.travis.yml b/.travis.yml
index fbe3487..08e775a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,17 +5,29 @@ cache: pip
 services:
     - redis-server
 
+addons:
+    apt:
+        packages:
+            - libgpg-error-dev
+            - libgpgme11-dev
+
 python:
     - "3.3"
     - "3.4"
     - "3.5"
     - "3.5-dev"
+    - "3.6-dev"
     - "nightly"
 
+before_install:
+    - gpg --batch --gen-key tests/gpg/test_org_gpg
+
 install:
+    - pip install -U pip
     - pip install -U nose
     - pip install coveralls
     - pip install codecov
+    - pip install --pre pyme3
     - pip install -U -r REQUIREMENTS
     - pip install .
 
diff --git a/REQUIREMENTS b/REQUIREMENTS
index 92a84d7..0815ab5 100644
--- a/REQUIREMENTS
+++ b/REQUIREMENTS
@@ -15,3 +15,5 @@ git+https://github.com/Rafiot/uwhoisd.git@testing#egg=uwhois&subdirectory=client
 pillow
 pytesseract
 SPARQLWrapper
+git+https://github.com/MISP/PyMISP.git
+--pre pyme3
diff --git a/misp_modules/modules/event/verify.py b/misp_modules/modules/event/verify.py
index a457ef4..b32aa07 100755
--- a/misp_modules/modules/event/verify.py
+++ b/misp_modules/modules/event/verify.py
@@ -10,7 +10,7 @@ moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
               'description': 'Verify the signature of a MISP Event',
               'module-type': ['event']}
 
-moduleconfig = ['uid']
+moduleconfig = []
 
 '''
 NOTE:
@@ -26,7 +26,7 @@ def handler(q=False):
     request = json.loads(q)  # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
     mispevent = MISPEvent()
     mispevent.load(request['mispevent'])
-    verified = mispevent.verify(mispevent.Org['uuid'])
+    verified = mispevent.verify(mispevent.Orgc['uuid'])
     return json.dumps(verified)
 
 
diff --git a/tests/57c4445b-c548-4654-af0b-4be3950d210f.json b/tests/57c4445b-c548-4654-af0b-4be3950d210f.json
new file mode 100644
index 0000000..29bb02c
--- /dev/null
+++ b/tests/57c4445b-c548-4654-af0b-4be3950d210f.json
@@ -0,0 +1 @@
+{"Event": {"info": "Ransomware - Xorist", "publish_timestamp": "1472548231", "timestamp": "1472541011", "analysis": "2", "Attribute": [{"category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "uuid": "57c5300c-0560-4146-bfaa-40e802de0b81", "timestamp": "1472540684", "to_ids": false, "value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/", "type": "link"}, {"category": "External analysis", "comment": "", "uuid": "57c5310b-dc34-43cb-8b8e-4846950d210f", "timestamp": "1472541011", "to_ids": false, "value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html", "type": "link"}, {"category": "Other", "comment": "", "uuid": "57c444c0-8004-48fa-9c33-8aca950d210f", "timestamp": "1472480448", "to_ids": false, "value": "UPX packed", "type": "comment"}, {"category": "Other", "comment": "", "uuid": "57c44648-96f4-45d4-a8eb-453e950d210f", "timestamp": "1472480840", "to_ids": false, "value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA", "type": "text"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-fb04-457d-87e7-4127950d210f", "timestamp": "1472480394", "to_ids": true, "value": "3Z4wnG9603it23y.exe", "type": "filename"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-454c-4d17-90d1-4d2f950d210f", "timestamp": "1472480395", "to_ids": true, "value": "0749bae92ca336a02c83d126e04ec628", "type": "md5"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-bef0-4ba7-a071-444e950d210f", "timestamp": "1472480394", "to_ids": true, "value": "77b0c41b7d340b8a3d903f21347bbf06aa766b5b", "type": "sha1"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-3fa4-4d65-9ccc-4afa950d210f", "timestamp": "1472480395", "to_ids": true, "value": "b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "type": "sha256"}, {"category": "Persistence mechanism", "comment": "", "uuid": "57c54b0f-27a4-458b-8e63-4455950d210f", "timestamp": "1472547599", "to_ids": true, "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run|%TEMP%\\3Z4wnG9603it23y.exe", "type": "regkey|value"}], "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#3d7a00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#420053", "exportable": true, "name": "ms-caro-malware:malware-type=\"Ransom\""}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}], "published": true, "date": "2016-08-29", "Orgc": {"name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"}, "threat_level_id": "3", "uuid": "57c4445b-c548-4654-af0b-4be3950d210f"}}
\ No newline at end of file
diff --git a/tests/gpg/test_org_gpg b/tests/gpg/test_org_gpg
new file mode 100644
index 0000000..efb96fc
--- /dev/null
+++ b/tests/gpg/test_org_gpg
@@ -0,0 +1,7 @@
+     %echo Generating a basic OpenPGP key
+     Key-Type: RSA
+     Name-Real: 5832bfa8-76d0-4bdb-a221-46fa950d210f
+     Passphrase: misptestorg
+     # Do a commit here, so that we can later print "done" :-)
+     %commit
+     %echo done
diff --git a/tests/test.py b/tests/test.py
index d506595..4615de7 100644
--- a/tests/test.py
+++ b/tests/test.py
@@ -6,6 +6,7 @@ import requests
 import base64
 import json
 import os
+from pymisp import MISPEvent, EncodeUpdate
 
 
 class TestModules(unittest.TestCase):
@@ -54,5 +55,19 @@ class TestModules(unittest.TestCase):
             response = requests.post(self.url + "query", data=f.read()).json()
         assert(response)
 
+    def test_sign(self):
+        event = MISPEvent()
+        event.load('tests/57c4445b-c548-4654-af0b-4be3950d210f.json')
+        data = {'module': 'sign',
+                'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f', 'passphrase': 'misptestorg'},
+                'mispevent': json.dumps(event, cls=EncodeUpdate)}
+        signed_event = requests.post(self.url + "query", data=json.dumps(data)).json()
+        event.load(signed_event)
+        data = {'module': 'verify',
+                'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f'},
+                'mispevent': json.dumps(event, cls=EncodeUpdate)}
+        verified = requests.post(self.url + "query", data=json.dumps(data))
+        assert(verified)
+
 if __name__ == '__main__':
     unittest.main()