easy_code_sign 0.1.0

data/plugin/src/easy_sign/inject.rb

@@ -0,0 +1,239 @@
+# frozen_string_literal: true
+# backtick_javascript: true
+
+require "native"
+require "promise"
+require "easy_sign/messaging"
+
+# Injected page script that exposes window.EasySign API
+# This runs in the page context, not the extension context
+module EasySign
+  class API
+    DEFAULT_TIMEOUT = 120_000 # 2 minutes
+
+    def initialize
+      @pending_requests = {}
+      setup_message_listener
+    end
+
+    # Check if EasySign extension is available and token is connected
+    # @return [Promise] Resolves with availability info
+    def is_available
+      Promise.new do |resolve, reject|
+        request = create_request(Messaging::Types::AVAILABILITY_REQUEST, {})
+        send_request(request, resolve, reject, 10_000) # 10 second timeout for availability check
+      end
+    end
+
+    # Sign a PDF document
+    # @param pdf_blob [Blob] The PDF file as a Blob
+    # @param options [Hash] Signing options
+    # @option options [String] :reason Reason for signing
+    # @option options [String] :location Location of signing
+    # @option options [Boolean] :visible_signature Add visible signature annotation
+    # @option options [String] :signature_position Position (top_left, top_right, bottom_left, bottom_right)
+    # @option options [Integer] :signature_page Page number for signature
+    # @option options [Boolean] :timestamp Add RFC 3161 timestamp
+    # @return [Promise] Resolves with signed PDF Blob
+    def sign(pdf_blob, options = {})
+      Promise.new do |resolve, reject|
+        # Convert Blob to Base64
+        blob_to_base64(pdf_blob).then do |base64_data|
+          request = create_request(
+            Messaging::Types::SIGN_REQUEST,
+            { pdf_data: base64_data, options: normalize_options(options) }
+          )
+
+          # Wrap resolve to convert Base64 back to Blob
+          wrapped_resolve = ->(response) {
+            if response[:payload] && response[:payload][:signedPdfData]
+              base64_to_blob(response[:payload][:signedPdfData], "application/pdf").then do |blob|
+                resolve.call({
+                  blob: blob,
+                  signer_name: response[:payload][:signerName],
+                  signed_at: response[:payload][:signedAt],
+                  timestamped: response[:payload][:timestamped]
+                })
+              end
+            else
+              resolve.call(response)
+            end
+          }
+
+          send_request(request, wrapped_resolve, reject)
+        end.fail do |error|
+          reject.call(error)
+        end
+      end
+    end
+
+    # Verify a signed PDF document
+    # @param pdf_blob [Blob] The signed PDF file as a Blob
+    # @param options [Hash] Verification options
+    # @option options [Boolean] :check_timestamp Verify timestamp (default: true)
+    # @return [Promise] Resolves with verification result
+    def verify(pdf_blob, options = {})
+      Promise.new do |resolve, reject|
+        blob_to_base64(pdf_blob).then do |base64_data|
+          request = create_request(
+            Messaging::Types::VERIFY_REQUEST,
+            {
+              pdf_data: base64_data,
+              check_timestamp: options[:check_timestamp] != false
+            }
+          )
+
+          send_request(request, resolve, reject)
+        end.fail do |error|
+          reject.call(error)
+        end
+      end
+    end
+
+    # Cancel an ongoing signing operation
+    # @param request_id [String] The request ID to cancel
+    # @return [Promise]
+    def cancel(request_id)
+      Promise.new do |resolve, reject|
+        request = {
+          type: Messaging::Types::CANCEL_REQUEST,
+          request_id: request_id,
+          target: Messaging::Targets::EXTENSION
+        }
+
+        `window.postMessage(#{request.to_n}, '*')`
+        resolve.call({ cancelled: true })
+      end
+    end
+
+    private
+
+    def setup_message_listener
+      `window.addEventListener('message', (event) => {
+        if (event.source !== window) return;
+        if (!event.data || event.data.target !== #{Messaging::Targets::PAGE.to_n}) return;
+
+        #{handle_response(`event.data`)}
+      })`
+    end
+
+    def handle_response(data)
+      request_id = data[:request_id] || `data.requestId` || `data.request_id`
+      callbacks = @pending_requests.delete(request_id)
+
+      return unless callbacks
+
+      resolve = callbacks[:resolve]
+      reject = callbacks[:reject]
+
+      # Clear timeout
+      `clearTimeout(#{callbacks[:timeout_id]})` if callbacks[:timeout_id]
+
+      error = data[:error] || `data.error`
+      if error
+        error_obj = `new Error(#{error[:message] || `error.message` || 'Unknown error'})`
+        `#{error_obj}.code = #{error[:code] || `error.code`}`
+        reject.call(error_obj)
+      else
+        resolve.call(data)
+      end
+    end
+
+    def create_request(type, payload)
+      {
+        type: type,
+        request_id: generate_request_id,
+        payload: payload,
+        target: Messaging::Targets::EXTENSION
+      }
+    end
+
+    def send_request(request, resolve, reject, timeout = DEFAULT_TIMEOUT)
+      request_id = request[:request_id]
+
+      # Set up timeout
+      timeout_id = `setTimeout(() => {
+        #{handle_timeout(request_id)}
+      }, #{timeout})`
+
+      @pending_requests[request_id] = {
+        resolve: resolve,
+        reject: reject,
+        timeout_id: timeout_id
+      }
+
+      `window.postMessage(#{request.to_n}, '*')`
+    end
+
+    def handle_timeout(request_id)
+      callbacks = @pending_requests.delete(request_id)
+      return unless callbacks
+
+      error = `new Error('Operation timed out')`
+      `#{error}.code = 'TIMEOUT'`
+      callbacks[:reject].call(error)
+    end
+
+    def generate_request_id
+      `crypto.randomUUID ? crypto.randomUUID() :
+        Date.now().toString(36) + Math.random().toString(36).substr(2)`
+    end
+
+    def normalize_options(options)
+      # Convert Ruby-style options to camelCase for native host
+      {
+        reason: options[:reason],
+        location: options[:location],
+        visibleSignature: options[:visible_signature],
+        signaturePosition: options[:signature_position],
+        signaturePage: options[:signature_page],
+        timestamp: options[:timestamp],
+        timestampAuthority: options[:timestamp_authority]
+      }.compact
+    end
+
+    def blob_to_base64(blob)
+      Promise.new do |resolve, reject|
+        `const reader = new FileReader();
+         reader.onload = function() {
+           // Remove data URL prefix to get just base64
+           const base64 = reader.result.split(',')[1];
+           #{resolve.call(`base64`)}
+         };
+         reader.onerror = function() {
+           #{reject.call(`reader.error`)}
+         };
+         reader.readAsDataURL(#{blob});`
+      end
+    end
+
+    def base64_to_blob(base64, mime_type)
+      Promise.new do |resolve, _reject|
+        `const byteCharacters = atob(#{base64});
+         const byteNumbers = new Array(byteCharacters.length);
+         for (let i = 0; i < byteCharacters.length; i++) {
+           byteNumbers[i] = byteCharacters.charCodeAt(i);
+         }
+         const byteArray = new Uint8Array(byteNumbers);
+         const blob = new Blob([byteArray], { type: #{mime_type} });
+         #{resolve.call(`blob`)};`
+      end
+    end
+  end
+end
+
+# Expose to window object
+`window.EasySign = #{EasySign::API.new.to_n}`
+
+# Also expose individual methods directly for convenience
+`window.EasySign.sign = function(blob, options) {
+  return #{EasySign::API.new}.sign(blob, options || {});
+};
+window.EasySign.verify = function(blob, options) {
+  return #{EasySign::API.new}.verify(blob, options || {});
+};
+window.EasySign.isAvailable = function() {
+  return #{EasySign::API.new}.is_available();
+};`
+
+puts "EasySign API injected into page"

data/plugin/src/easy_sign/messaging.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+# backtick_javascript: true
+
+# Message protocol constants and helpers for EasySign browser extension
+module EasySign
+  module Messaging
+    # Message types
+    module Types
+      # Requests from page/content script to background
+      SIGN_REQUEST = "sign_request"
+      VERIFY_REQUEST = "verify_request"
+      AVAILABILITY_REQUEST = "availability_request"
+      CANCEL_REQUEST = "cancel_request"
+
+      # Responses from background to page/content script
+      SIGN_RESPONSE = "sign_response"
+      VERIFY_RESPONSE = "verify_response"
+      AVAILABILITY_RESPONSE = "availability_response"
+      ERROR_RESPONSE = "error"
+
+      # Internal extension messages
+      PIN_SUBMITTED = "pin_submitted"
+      PIN_CANCELLED = "pin_cancelled"
+      POPUP_READY = "popup_ready"
+    end
+
+    # Error codes matching native host protocol
+    module ErrorCodes
+      TOKEN_NOT_FOUND = "TOKEN_NOT_FOUND"
+      PIN_INCORRECT = "PIN_INCORRECT"
+      TOKEN_LOCKED = "TOKEN_LOCKED"
+      INVALID_PDF = "INVALID_PDF"
+      SIGNING_FAILED = "SIGNING_FAILED"
+      VERIFICATION_FAILED = "VERIFICATION_FAILED"
+      NATIVE_HOST_NOT_FOUND = "NATIVE_HOST_NOT_FOUND"
+      TIMEOUT = "TIMEOUT"
+      CANCELLED = "CANCELLED"
+      ORIGIN_NOT_ALLOWED = "ORIGIN_NOT_ALLOWED"
+      INTERNAL_ERROR = "INTERNAL_ERROR"
+    end
+
+    # Message targets for postMessage routing
+    module Targets
+      EXTENSION = "easy-sign-extension"
+      PAGE = "easy-sign-page"
+    end
+
+    # Default timeout for signing operations (ms)
+    DEFAULT_TIMEOUT = 120_000 # 2 minutes
+
+    # Generate unique request ID
+    def self.generate_request_id
+      # Use crypto.randomUUID if available, fallback to timestamp + random
+      `typeof crypto !== 'undefined' && crypto.randomUUID ?
+        crypto.randomUUID() :
+        Date.now().toString(36) + Math.random().toString(36).substr(2)`
+    end
+
+    # Create a request message
+    def self.create_request(type, payload = {})
+      {
+        type: type,
+        request_id: generate_request_id,
+        payload: payload,
+        timestamp: `Date.now()`
+      }
+    end
+
+    # Create a response message
+    def self.create_response(request_id, type, payload = nil, error = nil)
+      {
+        type: type,
+        request_id: request_id,
+        payload: payload,
+        error: error,
+        timestamp: `Date.now()`
+      }
+    end
+
+    # Create an error response
+    def self.create_error(request_id, code, message, details = nil)
+      create_response(
+        request_id,
+        Types::ERROR_RESPONSE,
+        nil,
+        { code: code, message: message, details: details }
+      )
+    end
+
+    # Human-readable error messages
+    ERROR_MESSAGES = {
+      ErrorCodes::TOKEN_NOT_FOUND => "Hardware token not found. Please connect your token.",
+      ErrorCodes::PIN_INCORRECT => "Incorrect PIN entered.",
+      ErrorCodes::TOKEN_LOCKED => "Token is locked. Please contact your administrator.",
+      ErrorCodes::INVALID_PDF => "The PDF file is invalid or corrupted.",
+      ErrorCodes::SIGNING_FAILED => "Failed to sign the document.",
+      ErrorCodes::VERIFICATION_FAILED => "Failed to verify the signature.",
+      ErrorCodes::NATIVE_HOST_NOT_FOUND => "EasySign native host not installed.",
+      ErrorCodes::TIMEOUT => "Operation timed out.",
+      ErrorCodes::CANCELLED => "Operation was cancelled.",
+      ErrorCodes::ORIGIN_NOT_ALLOWED => "This website is not allowed to use EasySign.",
+      ErrorCodes::INTERNAL_ERROR => "An internal error occurred."
+    }.freeze
+
+    def self.error_message(code)
+      ERROR_MESSAGES[code] || "Unknown error: #{code}"
+    end
+  end
+end

data/plugin/src/easy_sign/popup.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+# backtick_javascript: true
+
+require "native"
+require "easy_sign/messaging"
+
+# Popup controller for PIN entry
+module EasySign
+  class Popup
+    def initialize
+      @port = nil
+      @signing_context = nil
+      setup_ui
+      connect_to_background
+    end
+
+    def setup_ui
+      # Wait for DOM to be ready
+      `document.addEventListener('DOMContentLoaded', () => {
+        #{init_ui}
+      })`
+    end
+
+    def init_ui
+      # Get UI elements
+      @pin_input = `document.getElementById('pin-input')`
+      @submit_btn = `document.getElementById('submit-btn')`
+      @cancel_btn = `document.getElementById('cancel-btn')`
+      @status_text = `document.getElementById('status-text')`
+      @origin_text = `document.getElementById('origin-text')`
+      @error_text = `document.getElementById('error-text')`
+
+      setup_event_listeners
+      focus_pin_input
+    end
+
+    def setup_event_listeners
+      # Submit button click
+      `#{@submit_btn}.addEventListener('click', () => {
+        #{submit_pin}
+      })`
+
+      # Cancel button click
+      `#{@cancel_btn}.addEventListener('click', () => {
+        #{cancel_signing}
+      })`
+
+      # Enter key in PIN input
+      `#{@pin_input}.addEventListener('keypress', (e) => {
+        if (e.key === 'Enter') {
+          #{submit_pin}
+        }
+      })`
+
+      # Clear error on input
+      `#{@pin_input}.addEventListener('input', () => {
+        #{clear_error}
+      })`
+    end
+
+    def connect_to_background
+      @port = `chrome.runtime.connect({ name: 'popup' })`
+
+      `#{@port}.onMessage.addListener((message) => {
+        #{handle_background_message(`message`)}
+      })`
+
+      `#{@port}.onDisconnect.addListener(() => {
+        #{handle_disconnect}
+      })`
+
+      # Notify background that popup is ready
+      send_to_background({ type: Messaging::Types::POPUP_READY })
+    end
+
+    def handle_background_message(message)
+      type = message[:type] || `message.type`
+
+      case type
+      when "signing_context"
+        handle_signing_context(message)
+      when "error"
+        show_error(message[:error] || `message.error`)
+      when "pin_incorrect"
+        show_error("Incorrect PIN. Please try again.")
+        clear_pin
+        focus_pin_input
+      end
+    end
+
+    def handle_signing_context(context)
+      @signing_context = context
+      origin = context[:origin] || `context.origin`
+      options = context[:options] || `context.options` || {}
+
+      # Update UI with signing context
+      if origin && @origin_text
+        `#{@origin_text}.textContent = #{origin}`
+      end
+
+      # Show what will be signed
+      if options[:reason] && @status_text
+        `#{@status_text}.textContent = 'Reason: ' + #{options[:reason]}`
+      end
+    end
+
+    def handle_disconnect
+      # Background disconnected, close popup
+      `window.close()`
+    end
+
+    def submit_pin
+      pin = `#{@pin_input}.value`
+
+      # Validate PIN
+      if pin.nil? || `#{pin}.length === 0`
+        show_error("Please enter your PIN")
+        return
+      end
+
+      if `#{pin}.length < 4`
+        show_error("PIN must be at least 4 characters")
+        return
+      end
+
+      # Disable UI while processing
+      disable_ui
+      show_status("Signing document...")
+
+      # Send PIN to background
+      send_to_background({
+        type: Messaging::Types::PIN_SUBMITTED,
+        pin: pin
+      })
+
+      # Clear PIN from memory
+      clear_pin
+    end
+
+    def cancel_signing
+      send_to_background({ type: Messaging::Types::PIN_CANCELLED })
+      `window.close()`
+    end
+
+    def send_to_background(message)
+      return unless @port
+
+      `#{@port}.postMessage(#{message.to_n})`
+    end
+
+    def show_error(message)
+      return unless @error_text
+
+      `#{@error_text}.textContent = #{message}`
+      `#{@error_text}.style.display = 'block'`
+      enable_ui
+    end
+
+    def clear_error
+      return unless @error_text
+
+      `#{@error_text}.textContent = ''`
+      `#{@error_text}.style.display = 'none'`
+    end
+
+    def show_status(message)
+      return unless @status_text
+
+      `#{@status_text}.textContent = #{message}`
+    end
+
+    def clear_pin
+      return unless @pin_input
+
+      `#{@pin_input}.value = ''`
+    end
+
+    def focus_pin_input
+      return unless @pin_input
+
+      `#{@pin_input}.focus()`
+    end
+
+    def disable_ui
+      `#{@pin_input}.disabled = true` if @pin_input
+      `#{@submit_btn}.disabled = true` if @submit_btn
+      `#{@cancel_btn}.disabled = true` if @cancel_btn
+    end
+
+    def enable_ui
+      `#{@pin_input}.disabled = false` if @pin_input
+      `#{@submit_btn}.disabled = false` if @submit_btn
+      `#{@cancel_btn}.disabled = false` if @cancel_btn
+      focus_pin_input
+    end
+  end
+end
+
+# Initialize popup
+EasySign::Popup.new

data/plugin/templates/manifest.json

@@ -0,0 +1,58 @@
+{
+  "manifest_version": 3,
+  "name": "EasySign PDF Signer",
+  "version": "1.0.0",
+  "description": "Sign PDF documents using hardware security tokens (HSM/smart cards)",
+
+  "permissions": [
+    "nativeMessaging",
+    "storage"
+  ],
+
+  "host_permissions": [
+    "https://*/*",
+    "http://localhost/*"
+  ],
+
+  "background": {
+    "service_worker": "background.js",
+    "type": "module"
+  },
+
+  "content_scripts": [
+    {
+      "matches": ["https://*/*", "http://localhost/*"],
+      "js": ["content.js"],
+      "run_at": "document_start",
+      "all_frames": false
+    }
+  ],
+
+  "web_accessible_resources": [
+    {
+      "resources": ["inject.js"],
+      "matches": ["https://*/*", "http://localhost/*"]
+    }
+  ],
+
+  "action": {
+    "default_popup": "popup/popup.html",
+    "default_icon": {
+      "16": "icons/icon16.png",
+      "48": "icons/icon48.png",
+      "128": "icons/icon128.png"
+    },
+    "default_title": "EasySign PDF Signer"
+  },
+
+  "icons": {
+    "16": "icons/icon16.png",
+    "48": "icons/icon48.png",
+    "128": "icons/icon128.png"
+  },
+
+  "options_ui": {
+    "page": "popup/popup.html",
+    "open_in_tab": false
+  }
+}