easy_code_sign 0.1.0

data/plugin/native_host/build/Rakefile

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "fileutils"
+
+DIST_DIR = File.expand_path("../dist", __dir__)
+SRC_DIR = File.expand_path("../src", __dir__)
+ROOT_DIR = File.expand_path("../../..", __dir__)
+
+desc "Build native host for current platform"
+task build: :clean do
+  mkdir_p DIST_DIR
+
+  # For development, create a wrapper script that uses Ruby
+  create_dev_wrapper
+end
+
+desc "Package native host as self-contained executable"
+task package: :clean do
+  mkdir_p DIST_DIR
+
+  # Check for ruby-packer
+  unless system("which rubyc > /dev/null 2>&1")
+    puts "ruby-packer (rubyc) not found. Install with: gem install rubyc"
+    puts "Falling back to development wrapper..."
+    create_dev_wrapper
+    exit 0
+  end
+
+  # Package with ruby-packer
+  platform = case RUBY_PLATFORM
+             when /darwin/ then "macos"
+             when /linux/ then "linux"
+             when /mingw|mswin/ then "windows"
+             else "unknown"
+             end
+
+  output_name = platform == "windows" ? "easy_sign_host.exe" : "easy_sign_host_#{platform}"
+  output_path = File.join(DIST_DIR, output_name)
+
+  puts "Packaging native host for #{platform}..."
+
+  # Create a temporary entry point that requires all dependencies
+  entry_point = File.join(SRC_DIR, "easy_sign_host.rb")
+
+  cmd = [
+    "rubyc",
+    entry_point,
+    "-o", output_path,
+    "--add-dependency", "easy_code_sign"
+  ]
+
+  unless system(*cmd)
+    puts "Packaging failed. Check ruby-packer installation."
+    exit 1
+  end
+
+  puts "Created: #{output_path}"
+end
+
+desc "Clean build artifacts"
+task :clean do
+  FileUtils.rm_rf(Dir.glob("#{DIST_DIR}/*"))
+end
+
+desc "Run native host tests"
+task :test do
+  sh "ruby -I#{SRC_DIR} -I#{ROOT_DIR}/lib #{SRC_DIR}/../test/native_host_test.rb"
+end
+
+private
+
+def create_dev_wrapper
+  # Create a shell wrapper for development that uses system Ruby
+  wrapper_path = File.join(DIST_DIR, "easy_sign_host")
+  host_script = File.join(SRC_DIR, "easy_sign_host.rb")
+
+  File.write(wrapper_path, <<~BASH)
+    #!/bin/bash
+    # Development wrapper for EasySign Native Host
+    # Uses system Ruby and requires easy_code_sign gem to be installed
+
+    SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    HOST_SCRIPT="#{host_script}"
+
+    exec ruby "$HOST_SCRIPT" "$@"
+  BASH
+
+  FileUtils.chmod(0o755, wrapper_path)
+  puts "Created development wrapper: #{wrapper_path}"
+end

data/plugin/native_host/install/com.easysign.host.json

@@ -0,0 +1,9 @@
+{
+  "name": "com.easysign.host",
+  "description": "EasySign PDF Signing Native Host",
+  "path": "{{HOST_PATH}}",
+  "type": "stdio",
+  "allowed_origins": [
+    "chrome-extension://{{EXTENSION_ID}}/"
+  ]
+}

data/plugin/native_host/install/install_chrome.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Install EasySign Native Messaging Host for Chrome/Chromium
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HOST_NAME="com.easysign.host"
+
+# Detect host executable path
+if [ -f "$SCRIPT_DIR/../dist/easy_sign_host" ]; then
+  # Use packaged binary
+  HOST_PATH="$SCRIPT_DIR/../dist/easy_sign_host"
+elif [ -f "$SCRIPT_DIR/../src/easy_sign_host.rb" ]; then
+  # Use Ruby script directly (development mode)
+  HOST_PATH="$SCRIPT_DIR/../src/easy_sign_host.rb"
+  chmod +x "$HOST_PATH"
+else
+  echo "Error: Native host executable not found"
+  exit 1
+fi
+
+HOST_PATH="$(cd "$(dirname "$HOST_PATH")" && pwd)/$(basename "$HOST_PATH")"
+
+# Get extension ID (can be overridden)
+EXTENSION_ID="${EASYSIGN_EXTENSION_ID:-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
+
+# Determine manifest directory based on OS
+case "$(uname -s)" in
+  Darwin)
+    # macOS
+    if [ "$USER" = "root" ]; then
+      MANIFEST_DIR="/Library/Google/Chrome/NativeMessagingHosts"
+    else
+      MANIFEST_DIR="$HOME/Library/Application Support/Google/Chrome/NativeMessagingHosts"
+    fi
+    ;;
+  Linux)
+    # Linux
+    if [ "$USER" = "root" ]; then
+      MANIFEST_DIR="/etc/opt/chrome/native-messaging-hosts"
+    else
+      MANIFEST_DIR="$HOME/.config/google-chrome/NativeMessagingHosts"
+    fi
+    ;;
+  MINGW*|MSYS*|CYGWIN*)
+    # Windows (Git Bash, MSYS2, Cygwin)
+    MANIFEST_DIR="$LOCALAPPDATA/Google/Chrome/User Data/NativeMessagingHosts"
+    ;;
+  *)
+    echo "Error: Unsupported operating system"
+    exit 1
+    ;;
+esac
+
+# Create manifest directory if it doesn't exist
+mkdir -p "$MANIFEST_DIR"
+
+# Generate manifest
+MANIFEST_PATH="$MANIFEST_DIR/$HOST_NAME.json"
+
+cat > "$MANIFEST_PATH" << EOF
+{
+  "name": "$HOST_NAME",
+  "description": "EasySign PDF Signing Native Host",
+  "path": "$HOST_PATH",
+  "type": "stdio",
+  "allowed_origins": [
+    "chrome-extension://$EXTENSION_ID/"
+  ]
+}
+EOF
+
+echo "EasySign Native Messaging Host installed for Chrome"
+echo "  Manifest: $MANIFEST_PATH"
+echo "  Host: $HOST_PATH"
+echo ""
+echo "NOTE: Update the extension ID in the manifest if needed:"
+echo "  Current: $EXTENSION_ID"
+echo ""
+echo "To update, run:"
+echo "  EASYSIGN_EXTENSION_ID=your_extension_id $0"

data/plugin/native_host/install/install_firefox.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Install EasySign Native Messaging Host for Firefox
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+HOST_NAME="com.easysign.host"
+
+# Detect host executable path
+if [ -f "$SCRIPT_DIR/../dist/easy_sign_host" ]; then
+  # Use packaged binary
+  HOST_PATH="$SCRIPT_DIR/../dist/easy_sign_host"
+elif [ -f "$SCRIPT_DIR/../src/easy_sign_host.rb" ]; then
+  # Use Ruby script directly (development mode)
+  HOST_PATH="$SCRIPT_DIR/../src/easy_sign_host.rb"
+  chmod +x "$HOST_PATH"
+else
+  echo "Error: Native host executable not found"
+  exit 1
+fi
+
+HOST_PATH="$(cd "$(dirname "$HOST_PATH")" && pwd)/$(basename "$HOST_PATH")"
+
+# Get extension ID (Firefox uses email-style IDs)
+EXTENSION_ID="${EASYSIGN_EXTENSION_ID:-easysign@example.com}"
+
+# Determine manifest directory based on OS
+case "$(uname -s)" in
+  Darwin)
+    # macOS
+    if [ "$USER" = "root" ]; then
+      MANIFEST_DIR="/Library/Application Support/Mozilla/NativeMessagingHosts"
+    else
+      MANIFEST_DIR="$HOME/Library/Application Support/Mozilla/NativeMessagingHosts"
+    fi
+    ;;
+  Linux)
+    # Linux
+    if [ "$USER" = "root" ]; then
+      MANIFEST_DIR="/usr/lib/mozilla/native-messaging-hosts"
+    else
+      MANIFEST_DIR="$HOME/.mozilla/native-messaging-hosts"
+    fi
+    ;;
+  MINGW*|MSYS*|CYGWIN*)
+    # Windows (Git Bash, MSYS2, Cygwin)
+    MANIFEST_DIR="$APPDATA/Mozilla/NativeMessagingHosts"
+    ;;
+  *)
+    echo "Error: Unsupported operating system"
+    exit 1
+    ;;
+esac
+
+# Create manifest directory if it doesn't exist
+mkdir -p "$MANIFEST_DIR"
+
+# Generate manifest (Firefox uses allowed_extensions instead of allowed_origins)
+MANIFEST_PATH="$MANIFEST_DIR/$HOST_NAME.json"
+
+cat > "$MANIFEST_PATH" << EOF
+{
+  "name": "$HOST_NAME",
+  "description": "EasySign PDF Signing Native Host",
+  "path": "$HOST_PATH",
+  "type": "stdio",
+  "allowed_extensions": [
+    "$EXTENSION_ID"
+  ]
+}
+EOF
+
+echo "EasySign Native Messaging Host installed for Firefox"
+echo "  Manifest: $MANIFEST_PATH"
+echo "  Host: $HOST_PATH"
+echo ""
+echo "NOTE: Update the extension ID in the manifest if needed:"
+echo "  Current: $EXTENSION_ID"
+echo ""
+echo "To update, run:"
+echo "  EASYSIGN_EXTENSION_ID=your_extension_id $0"

data/plugin/native_host/src/easy_sign_host.rb

@@ -0,0 +1,158 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# EasySign Native Messaging Host
+# Communicates with browser extension via stdin/stdout using length-prefixed JSON
+
+require "json"
+
+# Add lib to load path for development
+$LOAD_PATH.unshift(File.expand_path("../../../lib", __dir__))
+$LOAD_PATH.unshift(__dir__)
+
+require "protocol"
+require "signing_service"
+
+module EasySign
+  # Native Messaging Host for browser extension communication
+  class NativeHost
+    MAX_MESSAGE_SIZE = 1024 * 1024 # 1MB limit
+
+    def initialize
+      @signing_service = SigningService.new
+
+      # Ensure binary mode for stdin/stdout
+      $stdin.binmode
+      $stdout.binmode
+
+      # Disable stdout buffering
+      $stdout.sync = true
+    end
+
+    # Main loop - read and process messages
+    def run
+      loop do
+        message = read_message
+        break unless message
+
+        response = process_message(message)
+        write_message(response)
+      end
+    rescue Interrupt
+      # Clean exit on Ctrl+C (shouldn't happen in normal use)
+      exit 0
+    rescue StandardError => e
+      # Log error but don't crash - browser will handle disconnect
+      write_message(Protocol.error_response(nil, Protocol::ErrorCodes::INTERNAL_ERROR, e.message))
+    end
+
+    private
+
+    # Read a native messaging message from stdin
+    # Format: 4-byte length (little-endian uint32) + JSON data
+    def read_message
+      # Read 4-byte length prefix
+      length_bytes = $stdin.read(4)
+      return nil unless length_bytes && length_bytes.bytesize == 4
+
+      # Unpack as little-endian unsigned 32-bit integer
+      length = length_bytes.unpack1("V")
+
+      # Validate length
+      return nil if length.zero? || length > MAX_MESSAGE_SIZE
+
+      # Read JSON data
+      json_data = $stdin.read(length)
+      return nil unless json_data && json_data.bytesize == length
+
+      JSON.parse(json_data, symbolize_names: true)
+    rescue JSON::ParserError => e
+      # Return error for invalid JSON
+      { type: "invalid", error: e.message }
+    end
+
+    # Write a native messaging message to stdout
+    # Format: 4-byte length (little-endian uint32) + JSON data
+    def write_message(message)
+      json = message.to_json
+      length = [json.bytesize].pack("V") # Little-endian uint32
+
+      $stdout.write(length)
+      $stdout.write(json)
+      $stdout.flush
+    end
+
+    # Process an incoming message and return response
+    def process_message(message)
+      request_id = message[:requestId] || message[:request_id]
+      type = message[:type]
+
+      case type
+      when Protocol::Types::SIGN
+        process_sign(request_id, message[:payload])
+      when Protocol::Types::VERIFY
+        process_verify(request_id, message[:payload])
+      when Protocol::Types::CHECK_AVAILABILITY
+        process_check_availability(request_id)
+      when "invalid"
+        Protocol.error_response(request_id, Protocol::ErrorCodes::INVALID_MESSAGE, message[:error])
+      else
+        Protocol.error_response(request_id, Protocol::ErrorCodes::INVALID_MESSAGE, "Unknown message type: #{type}")
+      end
+    end
+
+    def process_sign(request_id, payload)
+      result = @signing_service.sign(
+        pdf_data: payload[:pdfData],
+        pin: payload[:pin],
+        options: payload[:options] || {}
+      )
+
+      Protocol.sign_response(request_id, result)
+    rescue EasyCodeSign::PinError => e
+      Protocol.error_response(
+        request_id,
+        Protocol::ErrorCodes::PIN_INCORRECT,
+        e.message,
+        { retriesRemaining: e.respond_to?(:retries_remaining) ? e.retries_remaining : nil }
+      )
+    rescue EasyCodeSign::TokenNotFoundError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::TOKEN_NOT_FOUND, e.message)
+    rescue EasyCodeSign::TokenLockedError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::TOKEN_LOCKED, e.message)
+    rescue EasyCodeSign::InvalidPdfError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::INVALID_PDF, e.message)
+    rescue EasyCodeSign::Error => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::SIGNING_FAILED, e.message)
+    rescue StandardError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::INTERNAL_ERROR, e.message)
+    end
+
+    def process_verify(request_id, payload)
+      result = @signing_service.verify(
+        pdf_data: payload[:pdfData],
+        check_timestamp: payload[:checkTimestamp] != false
+      )
+
+      Protocol.verify_response(request_id, result)
+    rescue EasyCodeSign::InvalidPdfError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::INVALID_PDF, e.message)
+    rescue EasyCodeSign::Error => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::VERIFICATION_FAILED, e.message)
+    rescue StandardError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::INTERNAL_ERROR, e.message)
+    end
+
+    def process_check_availability(request_id)
+      result = @signing_service.check_availability
+      Protocol.availability_response(request_id, result)
+    rescue StandardError => e
+      Protocol.error_response(request_id, Protocol::ErrorCodes::INTERNAL_ERROR, e.message)
+    end
+  end
+end
+
+# Entry point
+if __FILE__ == $PROGRAM_NAME
+  EasySign::NativeHost.new.run
+end

data/plugin/native_host/src/protocol.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+# Native Messaging Protocol definitions
+module EasySign
+  module Protocol
+    # Message types
+    module Types
+      SIGN = "sign"
+      VERIFY = "verify"
+      CHECK_AVAILABILITY = "check_availability"
+
+      SIGN_RESPONSE = "sign_response"
+      VERIFY_RESPONSE = "verify_response"
+      AVAILABILITY_RESPONSE = "availability_response"
+      ERROR = "error"
+    end
+
+    # Error codes
+    module ErrorCodes
+      TOKEN_NOT_FOUND = "TOKEN_NOT_FOUND"
+      PIN_INCORRECT = "PIN_INCORRECT"
+      TOKEN_LOCKED = "TOKEN_LOCKED"
+      INVALID_PDF = "INVALID_PDF"
+      SIGNING_FAILED = "SIGNING_FAILED"
+      VERIFICATION_FAILED = "VERIFICATION_FAILED"
+      INVALID_MESSAGE = "INVALID_MESSAGE"
+      INTERNAL_ERROR = "INTERNAL_ERROR"
+    end
+
+    class << self
+      # Create a success response
+      def success_response(request_id, type, payload)
+        {
+          type: type,
+          requestId: request_id,
+          payload: payload,
+          error: nil
+        }
+      end
+
+      # Create an error response
+      def error_response(request_id, code, message, details = nil)
+        {
+          type: Types::ERROR,
+          requestId: request_id,
+          payload: nil,
+          error: {
+            code: code,
+            message: message,
+            details: details
+          }.compact
+        }
+      end
+
+      # Create sign response
+      def sign_response(request_id, result)
+        success_response(request_id, Types::SIGN_RESPONSE, {
+          signedPdfData: result[:signed_pdf_data],
+          signerName: result[:signer_name],
+          signedAt: result[:signed_at]&.iso8601,
+          timestamped: result[:timestamped] || false
+        })
+      end
+
+      # Create verify response
+      def verify_response(request_id, result)
+        success_response(request_id, Types::VERIFY_RESPONSE, {
+          valid: result[:valid],
+          signerName: result[:signer_name],
+          signerOrganization: result[:signer_organization],
+          signedAt: result[:signed_at]&.iso8601,
+          signatureValid: result[:signature_valid],
+          integrityValid: result[:integrity_valid],
+          certificateValid: result[:certificate_valid],
+          chainValid: result[:chain_valid],
+          trusted: result[:trusted],
+          timestamped: result[:timestamped],
+          timestampValid: result[:timestamp_valid],
+          errors: result[:errors] || [],
+          warnings: result[:warnings] || []
+        })
+      end
+
+      # Create availability response
+      def availability_response(request_id, result)
+        success_response(request_id, Types::AVAILABILITY_RESPONSE, {
+          available: result[:available],
+          tokenPresent: result[:token_present],
+          slots: result[:slots]&.map do |slot|
+            {
+              index: slot[:index],
+              tokenLabel: slot[:token_label],
+              manufacturer: slot[:manufacturer],
+              serial: slot[:serial]
+            }
+          end
+        })
+      end
+    end
+  end
+end

data/plugin/native_host/src/signing_service.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require "base64"
+require "tempfile"
+require "easy_code_sign"
+
+module EasySign
+  # Service that wraps EasyCodeSign gem for browser extension use
+  class SigningService
+    def initialize
+      configure_easy_code_sign
+    end
+
+    # Sign a PDF document
+    # @param pdf_data [String] Base64-encoded PDF content
+    # @param pin [String] Token PIN
+    # @param options [Hash] Signing options
+    # @return [Hash] Result with signed PDF data
+    def sign(pdf_data:, pin:, options: {})
+      # Decode PDF from Base64
+      pdf_bytes = Base64.strict_decode64(pdf_data)
+
+      # Write to temp file
+      input_file = Tempfile.new(["input", ".pdf"], binmode: true)
+      output_file = Tempfile.new(["signed", ".pdf"], binmode: true)
+
+      begin
+        input_file.write(pdf_bytes)
+        input_file.close
+
+        # Build signing options
+        sign_opts = build_sign_options(options).merge(
+          pin: pin,
+          output_path: output_file.path
+        )
+
+        # Sign using EasyCodeSign
+        result = EasyCodeSign.sign(input_file.path, **sign_opts)
+
+        # Read signed PDF and encode as Base64
+        signed_bytes = File.binread(output_file.path)
+        signed_base64 = Base64.strict_encode64(signed_bytes)
+
+        {
+          signed_pdf_data: signed_base64,
+          signer_name: result.signer_name,
+          signed_at: result.signed_at,
+          timestamped: result.timestamped?
+        }
+      ensure
+        input_file.unlink
+        output_file.close
+        output_file.unlink
+      end
+    end
+
+    # Verify a signed PDF document
+    # @param pdf_data [String] Base64-encoded PDF content
+    # @param check_timestamp [Boolean] Whether to verify timestamp
+    # @return [Hash] Verification result
+    def verify(pdf_data:, check_timestamp: true)
+      # Decode PDF from Base64
+      pdf_bytes = Base64.strict_decode64(pdf_data)
+
+      # Write to temp file
+      temp_file = Tempfile.new(["verify", ".pdf"], binmode: true)
+
+      begin
+        temp_file.write(pdf_bytes)
+        temp_file.close
+
+        # Verify using EasyCodeSign
+        result = EasyCodeSign.verify(temp_file.path, check_timestamp: check_timestamp)
+
+        {
+          valid: result.valid?,
+          signer_name: result.signer_name,
+          signer_organization: result.signer_organization,
+          signed_at: result.timestamp,
+          signature_valid: result.signature_valid?,
+          integrity_valid: result.integrity_valid?,
+          certificate_valid: result.certificate_valid?,
+          chain_valid: result.chain_valid?,
+          trusted: result.trusted?,
+          timestamped: result.timestamped?,
+          timestamp_valid: result.timestamp_valid?,
+          errors: result.errors,
+          warnings: result.warnings
+        }
+      ensure
+        temp_file.unlink
+      end
+    end
+
+    # Check if signing is available (token connected, etc.)
+    # @return [Hash] Availability status
+    def check_availability
+      begin
+        slots = EasyCodeSign.list_slots
+
+        # Check if any slot has a token present
+        token_present = slots.any? { |s| s[:token_present] }
+
+        {
+          available: true,
+          token_present: token_present,
+          slots: slots.map do |slot|
+            {
+              index: slot[:index],
+              token_label: slot[:token_label],
+              manufacturer: slot[:manufacturer],
+              serial: slot[:serial]
+            }
+          end
+        }
+      rescue EasyCodeSign::Pkcs11LibraryError, EasyCodeSign::TokenNotFoundError => e
+        {
+          available: false,
+          token_present: false,
+          error: e.message,
+          slots: []
+        }
+      end
+    end
+
+    private
+
+    def configure_easy_code_sign
+      # Use default configuration - can be customized via env vars or config file
+      EasyCodeSign.configure do |config|
+        # Provider can be set via env var
+        config.provider = ENV.fetch("EASYSIGN_PROVIDER", "safenet").to_sym
+
+        # PKCS#11 library path (auto-detected if not set)
+        config.pkcs11_library = ENV["EASYSIGN_PKCS11_LIBRARY"] if ENV["EASYSIGN_PKCS11_LIBRARY"]
+
+        # Timestamp authority
+        config.timestamp_authority = ENV.fetch("EASYSIGN_TSA_URL", "http://timestamp.digicert.com")
+
+        # Network timeout
+        config.network_timeout = ENV.fetch("EASYSIGN_TIMEOUT", 30).to_i
+      end
+    end
+
+    def build_sign_options(options)
+      opts = {}
+
+      # Timestamp
+      opts[:timestamp] = options["timestamp"] || options[:timestamp] || false
+      if options["timestampAuthority"] || options[:timestamp_authority]
+        EasyCodeSign.configuration.timestamp_authority =
+          options["timestampAuthority"] || options[:timestamp_authority]
+      end
+
+      # Visible signature
+      opts[:visible_signature] = options["visibleSignature"] || options[:visible_signature] || false
+      opts[:signature_page] = options["signaturePage"] || options[:signature_page] || 1
+      opts[:signature_position] = (options["signaturePosition"] || options[:signature_position] || "bottom_right").to_sym
+
+      # Signature metadata
+      opts[:signature_reason] = options["reason"] || options[:reason]
+      opts[:signature_location] = options["location"] || options[:location]
+
+      opts.compact
+    end
+  end
+end