easy_code_sign 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 795cefa5ad0f01177caeb61d8aaa3c910e6796a5d0f7caad13653a762ada80c1
-  data.tar.gz: 4a65763e2aa2e0396c285c5bf3d75e3dc36697cf4e5f50b4489403a4e0789489
+  metadata.gz: 30b0230f9ff02c468a22aaae42998b4d7917138487fb9e650d00d76e424e61ac
+  data.tar.gz: 1f7ab49d94de297346fbc4ad929fffe05ad9d5b6b928dfbebb3afe987c2707ca
 SHA512:
-  metadata.gz: 0ceaf7fcd326449fd314d493828ed33ca12b4c004f86e08cef72ab1f22212ce92525a4d9ee1aeed5f421dc8636c0504e7b78e75bb5530ef6da1e8aeda929002e
-  data.tar.gz: 0e59683b775e2809b102022b0f16dd3ed142e1fdb1296c83162e1f2fc0747b75440189ea43372f07518f99d7e95e2040af19713ea79fecaf47f03bd011c0fbf3
+  metadata.gz: '00188cddd0c07ce157367eeea03d89dcbec4a527395be854ca5713b7b0d293babd645c1c458514d839f82fba7f1a51e379f975dc1627027791266e7f37c00c90'
+  data.tar.gz: a0f322b5af65a1f298f32725098a5f177b269b3064c2ae66d4f8556cc5ff7df934386cf5bec8b9050c8f64f3d12a7735b9537d7d1d4cba02a356cd31b1d8a4b2

data/CHANGELOG.md

@@ -7,31 +7,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-03-01
+
 ### Added
 
-- **PDF Document Signing**
-  - Sign PDF documents (.pdf) with PKCS#7 digital signatures
-  - Visible signature annotations with customizable position (top-left, top-right, bottom-left, bottom-right)
-  - Signature metadata (reason, location, contact info)
-  - Page selection for signature placement
-  - RFC 3161 timestamp embedding in PDF signatures
-  - ByteRange-based signing for PDF incremental updates
+- **Native MIT-licensed PDF signing backend** (`NativeSigner` + `CmsBuilder`)
+  - ISO 32000 incremental-update signatures (`adbe.pkcs7.detached`) with no AGPL dependency
+  - `CmsBuilder`: assembles CMS `SignedData` via OpenSSL ASN.1 with a `sign_bytes(hash)` callback
+    interface — compatible with HSM/hardware-token providers that only expose raw signing
+  - `NativeSigner`: appends signature dict, AcroForm field, and updated catalog as a valid
+    PDF incremental update; computes ByteRange via raw file I/O
 
-- **PDF Verification**
-  - Verify signed PDF documents
-  - ByteRange integrity checking
-  - Extract and display PDF signature metadata
+### Changed
 
-- **CLI Enhancements for PDF**
-  - `--visible-signature` - Add visible signature annotation
-  - `--signature-page` - Select page for signature
-  - `--signature-position` - Position preset (top_left, top_right, bottom_left, bottom_right)
-  - `--signature-reason` - Reason for signing
-  - `--signature-location` - Signing location
+- `pdf-reader` (~> 2.0, MIT) replaces `hexapdf` as the runtime dependency for PDF parsing
+- `PdfFile#apply_signature` and `#extract_signature` use the native backend by default
 
-### Dependencies
+### Removed
 
-- Added HexaPDF (~> 1.0) for PDF manipulation and signing
+- **HexaPDF dependency** (AGPL) — removed from both runtime and development dependencies.
+  easy_code_sign is now fully MIT-licensed throughout its dependency chain.
+- Deferred signing API (`prepare_deferred`, `finalize_deferred`) — these were built on
+  HexaPDF internals and are removed with it.
 
 ## [0.1.0] - 2025-01-06
 
@@ -92,4 +89,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Private keys never leave the hardware token
 - Certificate revocation checking enabled by default
 
+[Unreleased]: https://github.com/mpantel/easy_code_sign/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/mpantel/easy_code_sign/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/mpantel/easy_code_sign/releases/tag/v0.1.0

data/lib/easy_code_sign/pdf/cms_builder.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module EasyCodeSign
+  module Pdf
+    # Builds a detached CMS SignedData structure for PDF signing (adbe.pkcs7.detached).
+    #
+    # This is a pure-OpenSSL/MIT implementation that does not require HexaPDF.
+    # It uses OpenSSL ASN.1 primitives to assemble the CMS structure and supports
+    # callback-based signing (HSM, hardware token) via a sign_bytes(hash) block.
+    #
+    # The block receives SHA256(signed_attrs_DER) and must return raw RSA signature bytes.
+    # This matches HexaPDF's external_signing convention so providers are interchangeable.
+    #
+    # @example
+    #   builder = CmsBuilder.new(certificate: cert, certificate_chain: [])
+    #   cms_der = builder.build(byterange_content) { |hash| private_key.sign_raw("SHA256", hash) }
+    #
+    class CmsBuilder
+      # OIDs used in PDF CMS signatures
+      OID_DATA           = "1.2.840.113549.1.7.1"   # id-data
+      OID_SIGNED_DATA    = "1.2.840.113549.1.7.2"   # id-signedData
+      OID_CONTENT_TYPE   = "1.2.840.113549.1.9.3"   # id-contentType
+      OID_MESSAGE_DIGEST = "1.2.840.113549.1.9.4"   # id-messageDigest
+      OID_SIGNING_TIME   = "1.2.840.113549.1.9.5"   # id-signingTime
+      OID_SHA256         = "2.16.840.1.101.3.4.2.1" # id-sha256
+      OID_RSA            = "1.2.840.113549.1.1.1"   # rsaEncryption
+      OID_SHA256_RSA     = "1.2.840.113549.1.1.11"  # sha256WithRSAEncryption
+
+      # @param certificate [OpenSSL::X509::Certificate] signer certificate
+      # @param certificate_chain [Array<OpenSSL::X509::Certificate>] extra certs (intermediate CA etc.)
+      # @param signing_time [Time] time to embed in signed attributes (default: now)
+      def initialize(certificate:, certificate_chain: [], signing_time: nil)
+        @certificate       = certificate
+        @certificate_chain = certificate_chain
+        @signing_time      = signing_time || Time.now
+      end
+
+      # Build CMS SignedData DER for the given ByteRange content.
+      #
+      # @param data [String] concatenated ByteRange bytes from the PDF
+      # @yield [hash] SHA256 hash of the signed-attributes DER (binary String)
+      # @yieldreturn [String] raw RSA signature bytes (PKCS#1 v1.5)
+      # @return [String] DER-encoded CMS ContentInfo
+      def build(data)
+        raise ArgumentError, "sign_bytes block required" unless block_given?
+
+        message_digest   = OpenSSL::Digest::SHA256.digest(data)
+        signed_attrs_der = build_signed_attrs_der(message_digest)
+
+        # Hash of the DER-encoded signed attributes SET — this is what sign_raw signs
+        hash      = OpenSSL::Digest::SHA256.digest(signed_attrs_der)
+        signature = yield(hash)
+
+        build_content_info(signature, signed_attrs_der)
+      end
+
+      private
+
+      # Construct the signed attributes as a DER-encoded SET.
+      # The result is hashed and signed; then stored as [0] IMPLICIT in SignerInfo.
+      def build_signed_attrs_der(message_digest)
+        attrs = [
+          attribute(OID_CONTENT_TYPE, OpenSSL::ASN1::ObjectId.new(OID_DATA)),
+          attribute(OID_MESSAGE_DIGEST, OpenSSL::ASN1::OctetString.new(message_digest)),
+          attribute(OID_SIGNING_TIME, OpenSSL::ASN1::UTCTime.new(@signing_time))
+        ]
+        OpenSSL::ASN1::Set.new(attrs).to_der
+      end
+
+      # Build a CMS Attribute: SEQUENCE { OID, SET { value } }
+      def attribute(oid_str, value)
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ObjectId.new(oid_str),
+          OpenSSL::ASN1::Set.new([value])
+        ])
+      end
+
+      # Build the top-level CMS ContentInfo wrapping SignedData
+      def build_content_info(signature, signed_attrs_der)
+        signed_data = build_signed_data(signature, signed_attrs_der)
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ObjectId.new(OID_SIGNED_DATA),
+          OpenSSL::ASN1::ASN1Data.new([signed_data], 0, :CONTEXT_SPECIFIC) # [0] EXPLICIT
+        ]).to_der
+      end
+
+      def build_signed_data(signature, signed_attrs_der)
+        sha256_alg  = algorithm_identifier(OID_SHA256)
+        rsa_alg     = algorithm_identifier(OID_RSA)
+        signer_info = build_signer_info(signature, signed_attrs_der, sha256_alg, rsa_alg)
+
+        # certificates [0] IMPLICIT — DER of each cert wrapped as context-specific
+        all_certs  = [@certificate, *@certificate_chain]
+        cert_nodes = all_certs.map { |c| OpenSSL::ASN1.decode(c.to_der) }
+        certs_tagged = OpenSSL::ASN1::ASN1Data.new(cert_nodes, 0, :CONTEXT_SPECIFIC)
+
+        # encapContentInfo: just the eContentType, no eContent (detached)
+        encap = OpenSSL::ASN1::Sequence.new([OpenSSL::ASN1::ObjectId.new(OID_DATA)])
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(1)), # version 1
+          OpenSSL::ASN1::Set.new([sha256_alg]),           # digestAlgorithms
+          encap,                                          # encapContentInfo
+          certs_tagged,                                   # certificates [0]
+          OpenSSL::ASN1::Set.new([signer_info])           # signerInfos
+        ])
+      end
+
+      def build_signer_info(signature, signed_attrs_der, sha256_alg, rsa_alg)
+        # IssuerAndSerialNumber
+        issuer_and_serial = OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1.decode(@certificate.issuer.to_der),
+          OpenSSL::ASN1::Integer.new(@certificate.serial)
+        ])
+
+        # signedAttrs stored as [0] IMPLICIT (same bytes as SET but tag = 0xA0)
+        parsed_set     = OpenSSL::ASN1.decode(signed_attrs_der)
+        signed_attrs_0 = OpenSSL::ASN1::ASN1Data.new(parsed_set.value, 0, :CONTEXT_SPECIFIC)
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(1)), # version 1
+          issuer_and_serial,
+          sha256_alg,                                     # digestAlgorithm
+          signed_attrs_0,                                 # signedAttrs [0] IMPLICIT
+          rsa_alg,                                        # signatureAlgorithm
+          OpenSSL::ASN1::OctetString.new(signature)       # signature
+        ])
+      end
+
+      # AlgorithmIdentifier SEQUENCE { OID, NULL }
+      def algorithm_identifier(oid_str)
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ObjectId.new(oid_str),
+          OpenSSL::ASN1::Null.new(nil)
+        ])
+      end
+    end
+  end
+end

data/lib/easy_code_sign/pdf/native_signer.rb

@@ -0,0 +1,275 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "pdf-reader"
+require_relative "cms_builder"
+
+module EasyCodeSign
+  module Pdf
+    # Signs a PDF using a pure-OpenSSL/MIT approach (no HexaPDF).
+    #
+    # Implements ISO 32000 incremental-update signature:
+    #   1. Appends new objects (sig dict, sig field, updated catalog) to the original PDF.
+    #   2. Appends a cross-reference table and trailer (/Prev chains to original).
+    #   3. Writes a fixed-size /Contents placeholder (zeros).
+    #   4. Computes ByteRange = [0, placeholder_start, placeholder_end, rest_of_file].
+    #   5. Patches ByteRange into the file (fixed-width replacement).
+    #   6. Signs the ByteRange content via CmsBuilder + the caller's sign_bytes block.
+    #   7. Embeds the CMS DER hex into the /Contents slot.
+    #
+    class NativeSigner
+      # Reserved binary bytes for CMS DER. RSA-2048 + self-signed cert < 4 KiB.
+      # 8 KiB gives headroom for small certificate chains.
+      SIGNATURE_PLACEHOLDER_SIZE = 8192
+
+      # Fixed-width ByteRange placeholder written before the real values are known.
+      # Four 10-digit zero-padded integers + brackets = always 44 chars.
+      BR_PLACEHOLDER = "[0000000000 0000000000 0000000000 0000000000]"
+
+      def initialize(pdf_path:, output_path:, certificate:, certificate_chain: [],
+                     reason: nil, location: nil, contact_info: nil, signing_time: nil)
+        @pdf_path          = pdf_path
+        @output_path       = output_path
+        @certificate       = certificate
+        @certificate_chain = certificate_chain
+        @reason            = reason
+        @location          = location
+        @contact_info      = contact_info
+        @signing_time      = signing_time || Time.now
+      end
+
+      # Produce a signed PDF.
+      # @yield [hash] binary String — SHA256(signed_attrs_DER), per HexaPDF external_signing convention
+      # @yieldreturn [String] raw RSA-PKCS#1-v1.5 signature bytes
+      # @return [String] @output_path
+      def sign(&sign_bytes)
+        raise ArgumentError, "sign_bytes block required" unless sign_bytes
+
+        original = File.binread(@pdf_path)
+        reader   = PDF::Reader.new(StringIO.new(original))
+        trailer  = reader.objects.trailer
+
+        orig_startxref  = find_startxref(original)
+        orig_size       = trailer[:Size].to_i
+        root_ref        = trailer[:Root]
+
+        # New object numbers
+        sig_obj_num   = orig_size
+        field_obj_num = orig_size + 1
+
+        # The incremental update begins after a "\n" separator
+        base = original.bytesize + 1  # +1 for the separator newline
+
+        # Build object bodies and track their absolute offsets in the combined file
+        sig_body, contents_body_rel = build_sig_body(sig_obj_num)
+        sig_offset        = base
+        contents_abs      = sig_offset + contents_body_rel
+
+        field_body   = build_field_body(field_obj_num, sig_obj_num)
+        field_offset = sig_offset + sig_body.bytesize
+
+        catalog_obj_num = root_ref.id
+        catalog_gen     = root_ref.gen
+        catalog_body    = build_catalog_body(catalog_obj_num, catalog_gen,
+                                             field_obj_num, root_ref, reader)
+        catalog_offset  = field_offset + field_body.bytesize
+
+        xref_offset = catalog_offset + catalog_body.bytesize
+
+        xref_str = build_xref(
+          sig_obj_num    => sig_offset,
+          field_obj_num  => field_offset,
+          catalog_obj_num => catalog_offset
+        )
+
+        new_size    = [sig_obj_num, field_obj_num, catalog_obj_num].max + 1
+        trailer_str = "trailer\n" \
+          "<</Size #{new_size}" \
+          " /Root #{ref(catalog_obj_num, catalog_gen)}" \
+          " /Prev #{orig_startxref}>>\n" \
+          "startxref\n#{xref_offset}\n%%EOF\n"
+
+        combined = original +
+                   "\n" +
+                   sig_body + field_body + catalog_body +
+                   xref_str + trailer_str
+
+        File.binwrite(@output_path, combined)
+
+        # contents_abs is the absolute offset of '<' in /Contents <hex> in the combined file
+        contents_total = SIGNATURE_PLACEHOLDER_SIZE * 2 + 2  # '<' + hex_zeros + '>'
+        byte_range = [
+          0,
+          contents_abs,
+          contents_abs + contents_total,
+          combined.bytesize - (contents_abs + contents_total)
+        ]
+
+        patch_byte_range(byte_range)
+
+        data = read_byte_ranges(byte_range)
+
+        builder = CmsBuilder.new(
+          certificate:       @certificate,
+          certificate_chain: @certificate_chain,
+          signing_time:      @signing_time
+        )
+        cms_der = builder.build(data, &sign_bytes)
+
+        embed_signature(contents_abs, cms_der)
+
+        @output_path
+      end
+
+      private
+
+      # ------------------------------------------------------------------ #
+      # Object body builders                                                 #
+      # ------------------------------------------------------------------ #
+
+      # Returns [body_string, byte_offset_of_'<'_within_body]
+      def build_sig_body(obj_num)
+        hex_zeros = "0" * (SIGNATURE_PLACEHOLDER_SIZE * 2)
+
+        header = "#{obj_num} 0 obj\n" \
+          "<</Type /Sig\n" \
+          "/Filter /Adobe.PPKLite\n" \
+          "/SubFilter /adbe.pkcs7.detached\n" \
+          "/ByteRange #{BR_PLACEHOLDER}\n" \
+          "/Contents <"
+
+        footer = ">"
+        footer += "\n/Reason #{pdf_str(@reason)}"    if @reason
+        footer += "\n/Location #{pdf_str(@location)}" if @location
+        footer += "\n/ContactInfo #{pdf_str(@contact_info)}" if @contact_info
+        footer += "\n>>\nendobj\n"
+
+        body = header + hex_zeros + footer
+        [body, header.bytesize - 1]  # -1 → points at '<'
+      end
+
+      def build_field_body(obj_num, sig_obj_num)
+        "#{obj_num} 0 obj\n" \
+          "<</Type /Annot\n" \
+          "/Subtype /Widget\n" \
+          "/FT /Sig\n" \
+          "/V #{ref(sig_obj_num, 0)}\n" \
+          "/Rect [0 0 0 0]\n" \
+          "/F 4\n" \
+          "/T (Signature1)\n" \
+          ">>\nendobj\n"
+      end
+
+      def build_catalog_body(obj_num, gen, field_obj_num, root_ref, reader)
+        catalog = reader.objects[root_ref] || {}
+
+        parts = ["/Type /Catalog"]
+
+        if catalog[:Pages]
+          pr = catalog[:Pages]
+          parts << "/Pages #{ref(pr.id, pr.gen)}"
+        end
+
+        # Preserve common catalog entries
+        %i[ViewerPreferences PageLayout PageMode Names Outlines MarkInfo Lang].each do |key|
+          val = catalog[key]
+          next unless val
+          parts << "/#{key} #{pdf_val(val)}"
+        end
+
+        parts << "/AcroForm <</Fields [#{ref(field_obj_num, 0)}] /SigFlags 3>>"
+
+        "#{obj_num} #{gen} obj\n<<#{parts.join("\n")}>>\nendobj\n"
+      end
+
+      # ------------------------------------------------------------------ #
+      # Cross-reference table                                                #
+      # ------------------------------------------------------------------ #
+
+      # Writes separate 1-entry subsections — always valid PDF
+      def build_xref(entries)
+        out = +"xref\n"
+        entries.sort_by { |num, _| num }.each do |num, offset|
+          out << "#{num} 1\n"
+          out << "#{offset.to_s.rjust(10, "0")} 00000 n \n"
+        end
+        out
+      end
+
+      # ------------------------------------------------------------------ #
+      # ByteRange + signature embedding                                      #
+      # ------------------------------------------------------------------ #
+
+      def patch_byte_range(byte_range)
+        content = File.binread(@output_path)
+        br_str  = "[#{byte_range.map { |v| v.to_s.rjust(10, "0") }.join(" ")}]"
+        raise "ByteRange value too wide" if br_str.bytesize > BR_PLACEHOLDER.bytesize
+
+        idx = content.index("/ByteRange #{BR_PLACEHOLDER}")
+        raise InvalidPdfError, "ByteRange placeholder not found" unless idx
+
+        start = idx + "/ByteRange ".bytesize
+        content[start, BR_PLACEHOLDER.bytesize] = br_str.ljust(BR_PLACEHOLDER.bytesize)
+        File.binwrite(@output_path, content)
+      end
+
+      def read_byte_ranges(byte_range)
+        File.open(@output_path, "rb") do |f|
+          f.pos = byte_range[0]
+          chunk = f.read(byte_range[1])
+          f.pos = byte_range[2]
+          chunk << f.read(byte_range[3])
+        end
+      end
+
+      def embed_signature(contents_abs, cms_der)
+        hex = cms_der.unpack1("H*")
+        if hex.bytesize > SIGNATURE_PLACEHOLDER_SIZE * 2
+          raise PdfSignatureError, "CMS DER (#{hex.bytesize / 2} bytes) exceeds reserved " \
+                                   "#{SIGNATURE_PLACEHOLDER_SIZE} bytes"
+        end
+        padded = hex.ljust(SIGNATURE_PLACEHOLDER_SIZE * 2, "0")
+        File.open(@output_path, "rb+") do |f|
+          f.pos = contents_abs          # '<' of /Contents <hex>
+          f.write("<#{padded}>")
+        end
+      end
+
+      # ------------------------------------------------------------------ #
+      # Helpers                                                              #
+      # ------------------------------------------------------------------ #
+
+      def find_startxref(bytes)
+        tail = bytes.byteslice([bytes.bytesize - 1024, 0].max, 1024) || bytes
+        m    = tail.match(/startxref\s+(\d+)\s*%%EOF/)
+        raise InvalidPdfError, "Cannot locate startxref in PDF" unless m
+        m[1].to_i
+      end
+
+      def ref(id, gen)
+        "#{id} #{gen} R"
+      end
+
+      def pdf_str(str)
+        "(#{str.gsub("\\", "\\\\\\\\").gsub("(", "\\(").gsub(")", "\\)")})"
+      end
+
+      def pdf_val(val)
+        case val
+        when PDF::Reader::Reference then ref(val.id, val.gen)
+        when Symbol                 then "/#{val}"
+        when String                 then pdf_str(val)
+        when TrueClass              then "true"
+        when FalseClass             then "false"
+        when NilClass               then "null"
+        when Array                  then "[#{val.map { |v| pdf_val(v) }.join(" ")}]"
+        when Hash
+          inner = val.map { |k, v| "/#{k} #{pdf_val(v)}" }.join(" ")
+          "<<#{inner}>>"
+        else
+          val.to_s
+        end
+      end
+    end
+  end
+end