easy_code_sign 0.1.0 → 0.2.0

data/test/pdf_signable_test.rb

@@ -2,12 +2,12 @@
 
 require "test_helper"
 require "tempfile"
-require "hexapdf"
+require "openssl"
 
 class PdfFileSignableTest < EasyCodeSignTest
   def setup
     @temp_pdf = Tempfile.new(["test", ".pdf"])
-    create_test_pdf(@temp_pdf.path)
+    create_minimal_pdf(@temp_pdf.path)
   end
 
   def teardown
@@ -49,77 +49,97 @@ class PdfFileSignableTest < EasyCodeSignTest
     refute signable.signed?
   end
 
-  def test_extract_signature_returns_nil_for_unsigned
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    assert_nil signable.extract_signature
-  end
-
-  def test_prepare_for_signing_succeeds
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    signable.prepare_for_signing
-
-    assert_equal "PDF_SIGNING_PLACEHOLDER", signable.content_to_sign
-  end
+  def test_apply_signature_produces_signed_pdf
+    key  = generate_rsa_key
+    cert = build_self_signed_cert(key)
+    out  = Tempfile.new(["signed", ".pdf"])
 
-  def test_default_signature_config
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-
-    refute signable.signature_config[:visible]
-    assert_equal 1, signable.signature_config[:page]
-    assert_equal :bottom_right, signable.signature_config[:position]
-  end
-
-  def test_visible_signature_option
     signable = EasyCodeSign::Signable::PdfFile.new(
       @temp_pdf.path,
-      visible_signature: true,
-      signature_position: :top_left
+      output_path: out.path,
+      signature_reason: "Testing"
+    )
+
+    signed_path = signable.apply_signature(
+      ->(hash) { key.sign_raw("SHA256", hash) },
+      [cert]
     )
 
-    assert signable.signature_config[:visible]
-    assert_equal :top_left, signable.signature_config[:position]
+    assert File.exist?(signed_path)
+
+    verifier = EasyCodeSign::Signable::PdfFile.new(signed_path)
+    sig = verifier.extract_signature
+
+    assert sig, "Expected a signature to be present"
+    assert sig[:contents], "Expected /Contents to be non-empty"
+    assert_equal 4, sig[:byte_range].size
+  ensure
+    out.close
+    out.unlink
   end
 
-  def test_signature_reason_and_location
-    signable = EasyCodeSign::Signable::PdfFile.new(
-      @temp_pdf.path,
-      signature_reason: "Approved",
-      signature_location: "New York"
-    )
+  def test_signed_returns_true_after_signing
+    key  = generate_rsa_key
+    cert = build_self_signed_cert(key)
+    out  = Tempfile.new(["signed2", ".pdf"])
+
+    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path, output_path: out.path)
+    signable.apply_signature(->(hash) { key.sign_raw("SHA256", hash) }, [cert])
 
-    assert_equal "Approved", signable.signature_config[:reason]
-    assert_equal "New York", signable.signature_config[:location]
+    verifier = EasyCodeSign::Signable::PdfFile.new(out.path)
+    assert verifier.signed?
+  ensure
+    out.close
+    out.unlink
   end
 
-  def test_signature_page_option
-    signable = EasyCodeSign::Signable::PdfFile.new(
-      @temp_pdf.path,
-      signature_page: 2
-    )
+  private
 
-    assert_equal 2, signable.signature_config[:page]
+  def generate_rsa_key
+    OpenSSL::PKey::RSA.generate(2048)
   end
 
-  def test_signable_for_returns_pdf_file
-    signable = EasyCodeSign.signable_for(@temp_pdf.path)
-    assert_instance_of EasyCodeSign::Signable::PdfFile, signable
+  def build_self_signed_cert(key)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version    = 2
+    cert.serial     = 1
+    cert.subject    = OpenSSL::X509::Name.parse("/CN=Test Signer")
+    cert.issuer     = cert.subject
+    cert.public_key = key.public_key
+    cert.not_before = Time.now
+    cert.not_after  = Time.now + 86_400
+    cert.sign(key, OpenSSL::Digest.new("SHA256"))
+    cert
   end
 
-  private
+  # Builds a minimal valid PDF using only stdlib — no hexapdf or prawn.
+  def create_minimal_pdf(path)
+    hdr  = "%PDF-1.4\n"
+    obj1 = "1 0 obj\n<</Type /Catalog /Pages 2 0 R>>\nendobj\n"
+    obj2 = "2 0 obj\n<</Type /Pages /Kids [3 0 R] /Count 1>>\nendobj\n"
+    obj3 = "3 0 obj\n<</Type /Page /Parent 2 0 R /MediaBox [0 0 612 792]>>\nendobj\n"
+
+    o1 = hdr.bytesize
+    o2 = o1 + obj1.bytesize
+    o3 = o2 + obj2.bytesize
+    xref_off = o3 + obj3.bytesize
 
-  def create_test_pdf(path)
-    doc = HexaPDF::Document.new
-    page = doc.pages.add
-    page.canvas.font("Helvetica", size: 12)
-    page.canvas.text("Test PDF Document", at: [100, 700])
-    doc.write(path)
+    xref = "xref\n0 4\n" \
+           "0000000000 65535 f \n" \
+           "#{o1.to_s.rjust(10, "0")} 00000 n \n" \
+           "#{o2.to_s.rjust(10, "0")} 00000 n \n" \
+           "#{o3.to_s.rjust(10, "0")} 00000 n \n"
+
+    trailer = "trailer\n<</Size 4 /Root 1 0 R>>\nstartxref\n#{xref_off}\n%%EOF\n"
+
+    File.binwrite(path, hdr + obj1 + obj2 + obj3 + xref + trailer)
   end
 end
 
 class PdfVerificationTest < EasyCodeSignTest
   def setup
     @temp_pdf = Tempfile.new(["test", ".pdf"])
-    create_test_pdf(@temp_pdf.path)
+    create_minimal_pdf(@temp_pdf.path)
   end
 
   def teardown
@@ -144,426 +164,30 @@ class PdfVerificationTest < EasyCodeSignTest
 
   private
 
-  def create_test_pdf(path)
-    doc = HexaPDF::Document.new
-    page = doc.pages.add
-    page.canvas.font("Helvetica", size: 12)
-    page.canvas.text("Test PDF for verification", at: [100, 700])
-    doc.write(path)
-  end
-
   def assert_any_match(array, pattern)
     assert array.any? { |item| item.match?(pattern) },
            "Expected at least one item in #{array.inspect} to match #{pattern.inspect}"
   end
-end
-
-class PdfDeferredSigningTest < EasyCodeSignTest
-  def setup
-    super
-    @temp_pdf = Tempfile.new(["deferred_test", ".pdf"])
-    create_test_pdf(@temp_pdf.path)
-    @key = OpenSSL::PKey::RSA.new(2048)
-    @cert = create_test_cert(@key)
-    @chain = [@cert]
-    @cleanup_files = []
-  end
-
-  def teardown
-    @temp_pdf.close
-    @temp_pdf.unlink
-    @cleanup_files.each { |f| File.delete(f) if File.exist?(f) }
-    super
-  end
-
-  def test_prepare_deferred_returns_request
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    assert_instance_of EasyCodeSign::DeferredSigningRequest, request
-    assert_instance_of String, request.digest
-    assert_equal :sha256, request.digest_algorithm
-    assert File.exist?(request.prepared_pdf_path)
-    assert_instance_of Array, request.byte_range
-    assert_equal 4, request.byte_range.size
-    assert_equal @cert.to_pem, request.certificate.to_pem
-    assert_instance_of Time, request.signing_time
-    assert_instance_of Time, request.created_at
-  end
-
-  def test_prepare_deferred_creates_valid_pdf
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    assert File.exist?(request.prepared_pdf_path)
-    header = File.open(request.prepared_pdf_path, "rb") { |f| f.read(5) }
-    assert_equal "%PDF-", header
-  end
-
-  def test_prepare_deferred_digest_size
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain, digest_algorithm: "sha256")
-    track_prepared(request)
-
-    assert_equal 32, request.digest.bytesize
-  end
-
-  def test_prepare_deferred_sha512_digest_size
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain, digest_algorithm: "sha512")
-    track_prepared(request)
-
-    assert_equal 64, request.digest.bytesize
-  end
-
-  def test_deferred_request_serialization_roundtrip
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    hash = request.to_h
-    restored = EasyCodeSign::DeferredSigningRequest.from_h(hash)
-
-    assert_equal request.digest, restored.digest
-    assert_equal request.digest_algorithm, restored.digest_algorithm
-    assert_equal request.prepared_pdf_path, restored.prepared_pdf_path
-    assert_equal request.byte_range, restored.byte_range
-    assert_equal request.certificate.to_pem, restored.certificate.to_pem
-    assert_equal request.certificate_chain.map(&:to_pem), restored.certificate_chain.map(&:to_pem)
-    assert_equal request.estimated_size, restored.estimated_size
-    assert_equal request.signing_time.to_i, restored.signing_time.to_i
-    assert_equal request.created_at.to_i, restored.created_at.to_i
-  end
-
-  def test_deferred_request_digest_hex_and_base64
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    assert_equal request.digest.unpack1("H*"), request.digest_hex
-    assert_equal Base64.strict_encode64(request.digest), request.digest_base64
-  end
-
-  def test_finalize_deferred_produces_signed_pdf
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    # Sign the digest with our test key (simulating external signer)
-    raw_signature = @key.sign_raw("sha256", request.digest)
-
-    finalizer = EasyCodeSign::Signable::PdfFile.new(request.prepared_pdf_path)
-    signed_path = finalizer.finalize_deferred(request, raw_signature)
-
-    assert File.exist?(signed_path)
-
-    # Verify the signed PDF has a signature
-    verifier_signable = EasyCodeSign::Signable::PdfFile.new(signed_path)
-    sig = verifier_signable.extract_signature
-    refute_nil sig, "Expected signed PDF to have an extractable signature"
-    refute_nil sig[:contents]
-    refute_nil sig[:byte_range]
-  end
-
-  def test_signed_attributes_data_present
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    refute_nil request.signed_attributes_data
-    refute_empty request.signed_attributes_data
-    refute_nil request.signed_attributes_base64
-  end
-
-  def test_signed_attributes_data_hash_matches_digest
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain, digest_algorithm: "sha256")
-    track_prepared(request)
-
-    computed_hash = OpenSSL::Digest::SHA256.digest(request.signed_attributes_data)
-    assert_equal request.digest, computed_hash,
-                 "SHA256(signed_attributes_data) must equal the captured digest"
-  end
-
-  def test_webcrypto_style_signing_produces_valid_pdf
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    # Simulate WebCrypto: hash-and-sign in one step (like crypto.subtle.sign)
-    raw_signature = @key.sign("SHA256", request.signed_attributes_data)
-
-    finalizer = EasyCodeSign::Signable::PdfFile.new(request.prepared_pdf_path)
-    signed_path = finalizer.finalize_deferred(request, raw_signature)
-
-    assert File.exist?(signed_path)
-
-    verifier_signable = EasyCodeSign::Signable::PdfFile.new(signed_path)
-    sig = verifier_signable.extract_signature
-    refute_nil sig, "Expected signed PDF to have an extractable signature"
-    refute_nil sig[:contents]
-  end
-
-  def test_signed_attributes_data_serialization_roundtrip
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    hash = request.to_h
-    assert hash.key?("signed_attributes_data"), "to_h should include signed_attributes_data"
-
-    restored = EasyCodeSign::DeferredSigningRequest.from_h(hash)
-    assert_equal request.signed_attributes_data, restored.signed_attributes_data
-  end
-
-  def test_finalize_deferred_raises_on_missing_pdf
-    request = EasyCodeSign::DeferredSigningRequest.new(
-      digest: "\x00" * 32,
-      digest_algorithm: :sha256,
-      prepared_pdf_path: "/nonexistent/path/missing.pdf",
-      byte_range: [0, 100, 200, 100],
-      certificate: @cert,
-      certificate_chain: @chain,
-      estimated_size: 8192,
-      signing_time: Time.now
-    )
-
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-
-    assert_raises(EasyCodeSign::DeferredSigningError) do
-      signable.finalize_deferred(request, "fake_sig")
-    end
-  end
-
-  def test_finalize_deferred_raises_on_oversized_signature
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    # Create a signature that's way too large for the reserved space
-    oversized_signature = "\xFF" * (request.estimated_size * 3)
-
-    finalizer = EasyCodeSign::Signable::PdfFile.new(request.prepared_pdf_path)
-
-    assert_raises(EasyCodeSign::DeferredSigningError) do
-      finalizer.finalize_deferred(request, oversized_signature)
-    end
-  end
-
-  def test_finalize_deferred_with_timestamp_embeds_token
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain, timestamp_size: 4096)
-    track_prepared(request)
-
-    raw_signature = @key.sign_raw("sha256", request.digest)
-    mock_token = create_mock_timestamp_token
-
-    finalizer = EasyCodeSign::Signable::PdfFile.new(request.prepared_pdf_path)
-    signed_path = finalizer.finalize_deferred(request, raw_signature, timestamp_token: mock_token)
-
-    assert File.exist?(signed_path)
-
-    # Parse the CMS from the signed PDF and check for timestamp unsigned attribute
-    verifier_signable = EasyCodeSign::Signable::PdfFile.new(signed_path)
-    sig = verifier_signable.extract_signature
-    refute_nil sig, "Expected signed PDF to have a signature"
-
-    # Decode the CMS DER (trimming zero-padding) and look for id-aa-timeStampToken OID
-    cms_asn1 = decode_cms_from_contents(sig[:contents])
-    assert_timestamp_attribute_present(cms_asn1)
-  end
-
-  def test_finalize_deferred_without_timestamp_unchanged
-    signable = EasyCodeSign::Signable::PdfFile.new(@temp_pdf.path)
-    request = signable.prepare_deferred(@cert, @chain)
-    track_prepared(request)
-
-    raw_signature = @key.sign_raw("sha256", request.digest)
-
-    finalizer = EasyCodeSign::Signable::PdfFile.new(request.prepared_pdf_path)
-    signed_path = finalizer.finalize_deferred(request, raw_signature)
-
-    assert File.exist?(signed_path)
-
-    verifier_signable = EasyCodeSign::Signable::PdfFile.new(signed_path)
-    sig = verifier_signable.extract_signature
-    refute_nil sig
-
-    # Verify no timestamp unsigned attribute is present
-    cms_asn1 = decode_cms_from_contents(sig[:contents])
-    refute_timestamp_attribute_present(cms_asn1)
-  end
-
-  private
-
-  def track_prepared(request)
-    @cleanup_files << request.prepared_pdf_path
-  end
 
-  def create_test_pdf(path)
-    doc = HexaPDF::Document.new
-    page = doc.pages.add
-    page.canvas.font("Helvetica", size: 12)
-    page.canvas.text("Deferred signing test document", at: [100, 700])
-    doc.write(path)
-  end
+  def create_minimal_pdf(path)
+    hdr  = "%PDF-1.4\n"
+    obj1 = "1 0 obj\n<</Type /Catalog /Pages 2 0 R>>\nendobj\n"
+    obj2 = "2 0 obj\n<</Type /Pages /Kids [3 0 R] /Count 1>>\nendobj\n"
+    obj3 = "3 0 obj\n<</Type /Page /Parent 2 0 R /MediaBox [0 0 612 792]>>\nendobj\n"
 
-  def create_test_cert(key)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = OpenSSL::X509::Name.parse("/CN=Test Deferred Signer")
-    cert.issuer = cert.subject
-    cert.public_key = key.public_key
-    cert.not_before = Time.now
-    cert.not_after = Time.now + 86_400
-    cert.sign(key, OpenSSL::Digest.new("SHA256"))
-    cert
-  end
+    o1 = hdr.bytesize
+    o2 = o1 + obj1.bytesize
+    o3 = o2 + obj2.bytesize
+    xref_off = o3 + obj3.bytesize
 
-  def create_mock_timestamp_token
-    # Build a minimal self-signed PKCS#7 structure as mock token DER
-    tsa_key = OpenSSL::PKey::RSA.new(2048)
-    tsa_cert = OpenSSL::X509::Certificate.new
-    tsa_cert.version = 2
-    tsa_cert.serial = 99
-    tsa_cert.subject = OpenSSL::X509::Name.parse("/CN=Mock TSA")
-    tsa_cert.issuer = tsa_cert.subject
-    tsa_cert.public_key = tsa_key.public_key
-    tsa_cert.not_before = Time.now
-    tsa_cert.not_after = Time.now + 86_400
-    tsa_cert.sign(tsa_key, OpenSSL::Digest.new("SHA256"))
-
-    pkcs7 = OpenSSL::PKCS7.sign(tsa_cert, tsa_key, "mock timestamp data",
-                                 [], OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
-
-    EasyCodeSign::Timestamp::TimestampToken.new(
-      token_der: pkcs7.to_der,
-      timestamp: Time.now,
-      serial_number: 99,
-      policy_oid: "1.2.3.4",
-      tsa_url: "http://test.tsa"
-    )
-  end
+    xref = "xref\n0 4\n" \
+           "0000000000 65535 f \n" \
+           "#{o1.to_s.rjust(10, "0")} 00000 n \n" \
+           "#{o2.to_s.rjust(10, "0")} 00000 n \n" \
+           "#{o3.to_s.rjust(10, "0")} 00000 n \n"
 
-  # Decode CMS DER from PDF /Contents (which may have trailing zero-padding)
-  def decode_cms_from_contents(contents)
-    # The PDF reserves a fixed-size space; trailing zeros must be stripped.
-    # Parse just the first valid DER structure using decode_all which ignores trailing data.
-    OpenSSL::ASN1.decode(contents.sub(/\x00+\z/, ""))
-  end
+    trailer = "trailer\n<</Size 4 /Root 1 0 R>>\nstartxref\n#{xref_off}\n%%EOF\n"
 
-  # Recursively search the ASN.1 tree for the id-aa-timeStampToken OID
-  TIMESTAMP_TOKEN_OID = "1.2.840.113549.1.9.16.2.14"
-
-  def find_oid_in_asn1(asn1, target_oid)
-    if asn1.is_a?(OpenSSL::ASN1::ObjectId) && asn1.oid == target_oid
-      return true
-    end
-
-    if asn1.respond_to?(:value) && asn1.value.is_a?(Array)
-      asn1.value.any? { |child| find_oid_in_asn1(child, target_oid) }
-    else
-      false
-    end
-  end
-
-  def assert_timestamp_attribute_present(cms_asn1)
-    assert find_oid_in_asn1(cms_asn1, TIMESTAMP_TOKEN_OID),
-           "Expected CMS to contain id-aa-timeStampToken unsigned attribute"
-  end
-
-  def refute_timestamp_attribute_present(cms_asn1)
-    refute find_oid_in_asn1(cms_asn1, TIMESTAMP_TOKEN_OID),
-           "Expected CMS NOT to contain id-aa-timeStampToken unsigned attribute"
-  end
-end
-
-class PdfTimestampHandlerTest < Minitest::Test
-  def test_sign_returns_token_der_from_eager_token
-    mock_token = Struct.new(:token_der).new("mock_der_bytes")
-    handler = EasyCodeSign::Pdf::TimestampHandler.new(mock_token)
-
-    result = handler.sign(StringIO.new, [0, 0, 0, 0])
-    assert_equal "mock_der_bytes", result
-  end
-
-  def test_sign_returns_token_der_from_lazy_proc
-    mock_token = Struct.new(:token_der).new("lazy_der_bytes")
-    handler = EasyCodeSign::Pdf::TimestampHandler.new(-> { mock_token })
-
-    result = handler.sign(StringIO.new, [0, 0, 0, 0])
-    assert_equal "lazy_der_bytes", result
-  end
-
-  def test_sign_returns_nil_when_token_is_nil
-    handler = EasyCodeSign::Pdf::TimestampHandler.new(nil)
-
-    result = handler.sign(StringIO.new, [0, 0, 0, 0])
-    assert_nil result
-  end
-
-  def test_sign_returns_nil_when_lazy_proc_returns_nil
-    handler = EasyCodeSign::Pdf::TimestampHandler.new(-> { nil })
-
-    result = handler.sign(StringIO.new, [0, 0, 0, 0])
-    assert_nil result
-  end
-end
-
-class ExternalSigningCallbackTest < Minitest::Test
-  def test_callback_receives_data_and_returns_signature
-    expected_signature = "mock_signature"
-    callback = EasyCodeSign::Signable::ExternalSigningCallback.new(->(data) { expected_signature })
-
-    result = callback.sign("test data", "SHA256")
-    assert_equal expected_signature, result
-  end
-
-  def test_callback_is_private
-    callback = EasyCodeSign::Signable::ExternalSigningCallback.new(->(_) { "sig" })
-    assert callback.private?
-  end
-end
-
-class ExternalSigningProxyTest < Minitest::Test
-  def setup
-    @key = OpenSSL::PKey::RSA.new(2048)
-    @cert = create_test_cert(@key)
-  end
-
-  def test_proxy_returns_precomputed_signature
-    signature = "precomputed_signature"
-    proxy = EasyCodeSign::Signable::ExternalSigningProxy.new(signature, @cert, [@cert])
-
-    result = proxy.sign("any data", "SHA256")
-    assert_equal signature, result
-  end
-
-  def test_proxy_has_certificate
-    proxy = EasyCodeSign::Signable::ExternalSigningProxy.new("sig", @cert, [@cert])
-    assert_equal @cert, proxy.certificate
-  end
-
-  def test_proxy_is_private
-    proxy = EasyCodeSign::Signable::ExternalSigningProxy.new("sig", @cert, [@cert])
-    assert proxy.private?
-  end
-
-  private
-
-  def create_test_cert(key)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = OpenSSL::X509::Name.parse("/CN=Test")
-    cert.issuer = cert.subject
-    cert.public_key = key.public_key
-    cert.not_before = Time.now
-    cert.not_after = Time.now + 86_400
-    cert.sign(key, OpenSSL::Digest.new("SHA256"))
-    cert
+    File.binwrite(path, hdr + obj1 + obj2 + obj3 + xref + trailer)
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: easy_code_sign
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - michail
@@ -24,19 +24,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.2'
 - !ruby/object:Gem::Dependency
-  name: hexapdf
+  name: pdf-reader
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: pkcs11
   requirement: !ruby/object:Gem::Requirement
@@ -142,6 +142,8 @@ files:
 - lib/easy_code_sign/deferred_signing_request.rb
 - lib/easy_code_sign/errors.rb
 - lib/easy_code_sign/pdf/appearance_builder.rb
+- lib/easy_code_sign/pdf/cms_builder.rb
+- lib/easy_code_sign/pdf/native_signer.rb
 - lib/easy_code_sign/pdf/timestamp_handler.rb
 - lib/easy_code_sign/providers/base.rb
 - lib/easy_code_sign/providers/pkcs11_base.rb