Update cert trust test after fix, and add new test

The PE cert test can be enabled now that the cert trust feature is
fixed. In so doing I found an issue with it -- it was also using the
block-certificate signature, which overrides the trust-certificate
signatures. This made me realize that we should also have a test to make
sure the block-cert signatures take predence over the trust-cert sigs.

I fixed the original sig and added this second test case.

unit_tests/clamscan/allmatch_test.py

@@ -291,9 +291,11 @@ class TC(testcase.TestCase):
              -d {alerting_dbs} \
              -d {weak_dbs} \
              -d {broken_dbs} \
+             -d {block_cert_dbs} \
              --allmatch --bytecode-unsigned {testfiles}'.format(
             valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
             alerting_dbs=test_path / 'alert-sigs',
+            block_cert_dbs=test_path / 'block-cert-sigs',
             weak_dbs=test_path / 'weak-sigs',
             broken_dbs=test_path / 'broken-sigs',
             testfiles=test_exe,
@@ -307,6 +309,7 @@ class TC(testcase.TestCase):
         # Note: Some of these have ".UNOFFICIAL" in the name because not all of them have that ".UNOFFICIAL" suffix when reported.
         #       I think this is a minor bug. So if we change that, we'll need to update this test.
         expected_results = ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'alert-sigs').iterdir()]
+        expected_results += ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'block-cert-sigs').iterdir()]
 
         # The broken sig files are all given the signature name, so we can verify that the correct sigs were found.
         # TODO: When we fix section signatures, we can move them to the alerting sigs directory and get rid of this line.

unit_tests/clamscan/assorted_test.py

@@ -84,15 +84,9 @@ class TC(testcase.TestCase):
         expected_results.append('Infected files: {}'.format(expected_num_infected))
         self.verify_output(output.out, expected=expected_results)
 
-    @unittest.expectedFailure
     def test_pe_cert_trust(self):
         self.step_name('Test that clam can trust an EXE based on an authenticode certificate check.')
 
-        # TODO: This feature was added in 0.105, but was also broken during that release cycle when we upgraded TomsFastMath.
-        #       So instead of trusting the certificate, prints this out and the certificate is not trusted so the matches may still happen:
-        #           LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1
-        #       We need to fix this, and then update this test.
-
         test_path = TC.path_source / 'unit_tests' / 'input' / 'pe_allmatch'
         test_exe = test_path / 'test.exe'
 
@@ -122,3 +116,47 @@ class TC(testcase.TestCase):
         unexpected_results = ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'alert-sigs').iterdir()]
 
         self.verify_output(output.out, expected=expected_results, unexpected=unexpected_results)
+
+    def test_pe_cert_block(self):
+        self.step_name('Test that clam will disregard a certificate trust signature if a block certificate rule is used.')
+
+        # The sig set and test.exe for test set was written by one of our threat researchers to test the allmatch option.
+        # Overall, it's much more thorough than previous tests, but some of the tests are duplicates of the previous tests.
+
+        # TODO: The section signatures are not working as written, hence the "broken_dbs" directory.
+        #       There is a known issue with relative offset signatures when using the Boyer-Moore matcher. The sigs work if using the Aho-Corasick matcher.
+        #       When we fix section signatures, we can move them to the alerting sigs directory and update this test.
+
+        test_path = TC.path_source / 'unit_tests' / 'input' / 'pe_allmatch'
+        test_exe = test_path / 'test.exe'
+
+        command = '{valgrind} {valgrind_args} {clamscan} \
+             -d {alerting_dbs} \
+             -d {weak_dbs} \
+             -d {broken_dbs} \
+             -d {block_cert_dbs} \
+             --allmatch --bytecode-unsigned {testfiles}'.format(
+            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
+            alerting_dbs=test_path / 'alert-sigs',
+            block_cert_dbs=test_path / 'block-cert-sigs',
+            weak_dbs=test_path / 'weak-sigs',
+            broken_dbs=test_path / 'broken-sigs',
+            trust_dbs=test_path / 'trust-sigs',
+            testfiles=test_exe,
+        )
+        output = self.execute_command(command)
+
+        assert output.ec == 1
+
+        # The alert sig files are all given the signature name, so we can verify that the correct sigs were found.
+        # We need only to trim off the extension and say "FOUND" for the alerting sigs.
+        # Note: Some of these have ".UNOFFICIAL" in the name because not all of them have that ".UNOFFICIAL" suffix when reported.
+        #       I think this is a minor bug. So if we change that, we'll need to update this test.
+        expected_results = ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'alert-sigs').iterdir()]
+        expected_results += ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'block-cert-sigs').iterdir()]
+
+        # The broken sig files are all given the signature name, so we can verify that the correct sigs were found.
+        # TODO: When we fix section signatures, we can move them to the alerting sigs directory and get rid of this line.
+        unexpected_results = ['{sig} FOUND'.format(sig=f.stem) for f in (test_path / 'broken-sigs').iterdir()]
+
+        self.verify_output(output.out, expected=expected_results, unexpected=unexpected_results)