hexapdf 0.19.0 → 0.20.0

data/lib/hexapdf/type/signature.rb

@@ -0,0 +1,236 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2021 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'openssl'
+require 'hexapdf/dictionary'
+require 'hexapdf/error'
+
+module HexaPDF
+  module Type
+
+    # Represents a digital signature that is used to authenticate a user and the contents of the
+    # document.
+    #
+    # == Signature Verification
+    #
+    # Verification of signatures is a complex topic and what counts as completely verified may
+    # differ from use-case to use-case. Therefore HexaPDF provides as much diagnostic information as
+    # possible so that the user can decide whether a signature is valid.
+    #
+    # By defining a custom signature handler one is able to also customize the signature
+    # verification.
+    #
+    # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::AcroForm::SignatureField
+    class Signature < Dictionary
+
+      autoload :Handler, 'hexapdf/type/signature/handler'
+      autoload :AdbeX509RsaSha1, 'hexapdf/type/signature/adbe_x509_rsa_sha1'
+      autoload :AdbePkcs7Detached, 'hexapdf/type/signature/adbe_pkcs7_detached'
+      autoload :VerificationResult, 'hexapdf/type/signature/verification_result'
+
+      # Represents a transform parameters dictionary.
+      #
+      # The allowed fields depend on the transform method, so not all fields are available all the
+      # time.
+      #
+      # See: PDF1.7 s12.8.2.2, s12.8.2.3, s12.8.2.4
+      class TransformParams < Dictionary
+
+        define_type :TransformParams
+
+        define_field :Type, type: Symbol, default: type
+
+        # For DocMDP, also used by UR
+        define_field :P, type: [Integer, Boolean]
+        define_field :V, type: Symbol, allowed_values: [:"1.2", :"2.2"]
+
+        # For UR
+        define_field :Document,  type: PDFArray
+        define_field :Msg,       type: String
+        define_field :Annots,    type: PDFArray, version: '1.5'
+        define_field :Form,      type: PDFArray, version: '1.5'
+        define_field :Signature, type: PDFArray
+        define_field :EF,        type: PDFArray, version: '1.6'
+
+        # For FieldMDP
+        define_field :Action, type: Symbol, allowed_values: [:All, :Include, :Exclude]
+        define_field :Fields, type: PDFArray
+
+        private
+
+        # All values allowed for the /Annots field
+        FIELD_ANNOTS_ALLOWED_VALUES = [:Create, :Delete, :Modify, :Copy, :Import, :Online, :SummaryView]
+
+        # All values allowed for the /Form field
+        FIELD_FORM_ALLOWED_VALUES = [:Add, :Delete, :Fillin, :Import, :Export, :SubmitStandalone,
+                                     :SpawnTemplate, :BarcodePlaintext, :Online]
+
+        # All values allowed for the /EF field
+        FIELD_EF_ALLOWED_VALUES = [:Create, :Delete, :Modify, :Import]
+
+        def perform_validation #:nodoc:
+          super
+          # We need to perform the checks here since the values are arrays and not single elements
+          if (annots = self[:Annots]) && !(annots = annots.value - FIELD_ANNOTS_ALLOWED_VALUES).empty?
+            yield("Field /Annots contains invalid entries: #{annots.join(', ')}", true)
+            value[:Annots].value -= annots
+          end
+          if (form = self[:Form]) && !(form = form.value - FIELD_FORM_ALLOWED_VALUES).empty?
+            yield("Field /Form contains invalid entries: #{form.join(', ')}", true)
+            value[:Form].value -= form
+          end
+          if (ef = self[:EF]) && !(ef = ef.value - FIELD_EF_ALLOWED_VALUES).empty?
+            yield("Field /EF contains invalid entries: #{ef.join(', ')}", true)
+            value[:EF].value -= ef
+          end
+        end
+
+      end
+
+      # Represents a signature reference dictionary.
+      #
+      # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::Signature
+      class SignatureReference < Dictionary
+
+        define_type :SigRef
+
+        define_field :Type,            type: Symbol, default: type
+        define_field :TransformMethod, type: Symbol, required: true,
+          allowed_values: [:DocMDP, :UR, :FieldMDP]
+        define_field :TransformParams, type: Dictionary
+        define_field :Data,            type: ::Object
+        define_field :DigestMethod,    type: Symbol, version: '1.5',
+          allowed_values: [:MD5, :SHA1, :SHA256, :SHA384, :SHA512, :RIPEMD160]
+
+        private
+
+        def perform_validation #:nodoc:
+          super
+          if self[:TransformMethod] == :FieldMDP && !key?(:Data)
+            yield("Field /Data is required when /TransformMethod is /FieldMDP")
+          end
+        end
+
+      end
+
+      define_field :Type,          type: Symbol, default: :Sig,
+        allowed_values: [:Sig, :DocTimeStamp]
+      define_field :Filter,        type: Symbol
+      define_field :SubFilter,     type: Symbol
+      define_field :Contents,      type: PDFByteString
+      define_field :Cert,          type: [PDFArray, PDFByteString]
+      define_field :ByteRange,     type: PDFArray
+      define_field :Reference,     type: PDFArray
+      define_field :Changes,       type: PDFArray
+      define_field :Name,          type: String
+      define_field :M,             type: PDFDate
+      define_field :Location,      type: String
+      define_field :Reason,        type: String
+      define_field :ContactInfo,   type: String
+      define_field :R,             type: Integer
+      define_field :V,             type: Integer, default: 0, version: '1.5'
+      define_field :Prop_Build,    type: Dictionary, version: '1.5'
+      define_field :Prop_AuthTime, type: Integer, version: '1.5'
+      define_field :Prop_AuthType, type: Symbol, version: '1.5',
+        allowed_values: [:PIN, :Password, :Fingerprint]
+
+      # Returns the name of the person or authority that signed the document.
+      def signer_name
+        signature_handler.signer_name
+      end
+
+      # Returns the time of the signing.
+      def signing_time
+        signature_handler.signing_time
+      end
+
+      # Returns the reason for the signing.
+      def signing_reason
+        self[:Reason]
+      end
+
+      # Returns the location of the signing.
+      def signing_location
+        self[:Location]
+      end
+
+      # Returns the signature type based on the /SubFilter.
+      def signature_type
+        self[:SubFilter].to_s
+      end
+
+      # Returns the signature handler for this signature based on the /SubFilter entry.
+      def signature_handler
+        cache(:signature_handler) do
+          handler_class = document.config.constantize('signature.sub_filter_map', self[:SubFilter]) do
+            raise HexaPDF::Error, "No or unknown signature handler set: #{self[:SubFilter]}"
+          end
+          handler_class.new(self)
+        end
+      end
+
+      # Returns the raw signature value.
+      def contents
+        self[:Contents]
+      end
+
+      # Returns the signed data as indicated by the /ByteRange entry as byte string.
+      def signed_data
+        unless document.revisions.parser
+          raise HexaPDF::Error, "Can't load signed data without existing PDF file"
+        end
+        io = document.revisions.parser.io
+        data = ''.b
+        self[:ByteRange]&.each_slice(2) do |offset, length|
+          io.pos = offset
+          data << io.read(length)
+        end
+        data
+      end
+
+      # Returns a VerificationResult object with the verification information.
+      def verify(default_paths: true, trusted_certs: [], allow_self_signed: false)
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths if default_paths
+        store.purpose = OpenSSL::X509::PURPOSE_SMIME_SIGN
+        trusted_certs.each {|cert| store.add_cert(cert) }
+        signature_handler.verify(store, allow_self_signed: allow_self_signed)
+      end
+
+    end
+
+  end
+end

data/lib/hexapdf/type.rb

@@ -72,6 +72,7 @@ module HexaPDF
     autoload(:FontType3, 'hexapdf/type/font_type3')
     autoload(:IconFit, 'hexapdf/type/icon_fit')
     autoload(:AcroForm, 'hexapdf/type/acro_form')
+    autoload(:Signature, 'hexapdf/type/signature')
 
   end
 

data/lib/hexapdf/version.rb

@@ -37,6 +37,6 @@
 module HexaPDF
 
   # The version of HexaPDF.
-  VERSION = '0.19.0'
+  VERSION = '0.20.0'
 
 end

data/lib/hexapdf/writer.rb

@@ -44,8 +44,10 @@ module HexaPDF
   # Writes the contents of a PDF document to an IO stream.
   class Writer
 
-    # Writes the document to the IO object. If +incremental+ is +true+ and the document was created
-    # from an existing PDF file, the changes are appended to a full copy of the source document.
+    # Writes the document to the IO object and returns the last XRefSection written.
+    #
+    # If +incremental+ is +true+ and the document was created from an existing PDF file, the changes
+    # are appended to a full copy of the source document.
     def self.write(document, io, incremental: false)
       if incremental && document.revisions.parser
         new(document, io).write_incremental
@@ -66,33 +68,42 @@ module HexaPDF
       @serializer = Serializer.new
       @serializer.encrypter = @document.encrypted? ? @document.security_handler : nil
       @rev_size = 0
+
+      @use_xref_streams = false
     end
 
-    # Writes the document to the IO object.
+    # Writes the document to the IO object and returns the last XRefSection written.
     def write
       write_file_header
 
-      pos = nil
+      pos = xref_section = nil
       @document.trailer.info[:Producer] = "HexaPDF version #{HexaPDF::VERSION}"
       @document.revisions.each do |rev|
-        pos = write_revision(rev, pos)
+        pos, xref_section = write_revision(rev, pos)
       end
+
+      xref_section
     end
 
-    # Writes the complete source document and one revision containing all changes to the IO.
+    # Writes the complete source document unmodified to the IO and then one revision containing all
+    # changes. Returns the XRefSection of that one revision.
     #
     # For this method to work the document must have been created from an existing file.
     def write_incremental
       @document.revisions.parser.io.seek(0, IO::SEEK_SET)
       IO.copy_stream(@document.revisions.parser.io, @io)
+      @io << "\n"
 
       @rev_size = @document.revisions.current.next_free_oid
+      @use_xref_streams = @document.revisions.parser.contains_xref_streams?
 
       revision = Revision.new(@document.revisions.current.trailer)
       @document.revisions.each do |rev|
         rev.each_modified_object {|obj| revision.send(:add_without_check, obj) }
       end
-      write_revision(revision, @document.revisions.parser.startxref_offset)
+      _pos, xref_section = write_revision(revision, @document.revisions.parser.startxref_offset)
+
+      xref_section
     end
 
     private
@@ -147,7 +158,7 @@ module HexaPDF
 
       write_startxref(startxref)
 
-      startxref
+      [startxref, xref_section]
     end
 
     # :call-seq:
@@ -170,10 +181,13 @@ module HexaPDF
         end
       end
 
-      if !object_streams.empty? && xref_stream.nil?
-        raise HexaPDF::Error, "Cannot use object streams when there is no xref stream"
+      if (!object_streams.empty? || @use_xref_streams) && xref_stream.nil?
+        xref_stream = @document.wrap({Type: :XRef}, oid: rev.next_free_oid)
+        rev.add(xref_stream)
       end
 
+      @use_xref_streams = true if xref_stream
+
       [xref_stream, object_streams]
     end
 

data/test/hexapdf/content/test_graphics_state.rb

@@ -2,6 +2,7 @@
 
 require 'test_helper'
 require 'hexapdf/content/graphics_state'
+require 'ostruct'
 
 # Dummy class used as wrapper so that constant lookup works correctly
 class GraphicsStateWrapper < Minitest::Spec
@@ -146,6 +147,13 @@ class GraphicsStateWrapper < Minitest::Spec
     it "fails when restoring the graphics state if the stack is empty" do
       assert_raises(HexaPDF::Error) { @gs.restore }
     end
-  end
 
+    it "uses the correct glyph to text space scaling" do
+      font = OpenStruct.new
+      font.glyph_scaling_factor = 0.002
+      @gs.font = font
+      @gs.font_size = 10
+      assert_equal(0.02, @gs.scaled_font_size)
+    end
+  end
 end

data/test/hexapdf/content/test_operator.rb

@@ -4,6 +4,7 @@ require 'test_helper'
 require 'hexapdf/content/operator'
 require 'hexapdf/content/processor'
 require 'hexapdf/serializer'
+require 'ostruct'
 
 describe HexaPDF::Content::Operator::BaseOperator do
   before do
@@ -190,9 +191,11 @@ end
 
 describe_operator :SetGraphicsStateParameters, :gs do
   it "applies parameters from an ExtGState dictionary" do
+    font = OpenStruct.new
+    font.glyph_scaling_factor = 0.01
     @processor.resources[:ExtGState] = {Name: {LW: 10, LC: 2, LJ: 2, ML: 2, D: [[3, 5], 2],
                                                RI: 2, SA: true, BM: :Multiply, CA: 0.5, ca: 0.5,
-                                               AIS: true, TK: false, Font: [:Test, 10]}}
+                                               AIS: true, TK: false, Font: [font, 10]}}
     @processor.resources.define_singleton_method(:document) do
       Object.new.tap {|obj| obj.define_singleton_method(:deref) {|o| o } }
     end
@@ -210,7 +213,7 @@ describe_operator :SetGraphicsStateParameters, :gs do
     assert_equal(0.5, gs.stroke_alpha)
     assert_equal(0.5, gs.fill_alpha)
     assert(gs.alpha_source)
-    assert_equal(:Test, gs.font)
+    assert_equal(font, gs.font)
     assert_equal(10, gs.font_size)
     refute(gs.text_knockout)
   end
@@ -448,7 +451,9 @@ describe_operator :SetFontAndSize, :Tf do
       self[:Font] && self[:Font][name]
     end
 
-    @processor.resources[:Font] = {F1: :test}
+    font = OpenStruct.new
+    font.glyph_scaling_factor = 0.01
+    @processor.resources[:Font] = {F1: font}
     invoke(:F1, 10)
     assert_equal(@processor.resources.font(:F1), @processor.graphics_state.font)
     assert_equal(10, @processor.graphics_state.font_size)

data/test/hexapdf/content/test_processor.rb

@@ -156,7 +156,7 @@ describe HexaPDF::Content::Processor do
 
       it "fails if the current font is a vertical font" do
         @processor.graphics_state.font.define_singleton_method(:writing_mode) { :vertical }
-        assert_raises(NotImplementedError) { @processor.send(:decode_text_with_positioning, "a") }
+        assert_raises(RuntimeError) { @processor.send(:decode_text_with_positioning, "a") }
       end
     end
   end

data/test/hexapdf/document/test_signatures.rb

@@ -0,0 +1,225 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'stringio'
+require 'tempfile'
+require 'hexapdf/document'
+require_relative '../type/signature/common'
+
+describe HexaPDF::Document::Signatures do
+  before do
+    @doc = HexaPDF::Document.new
+    @form = @doc.acro_form(create: true)
+    @sig1 = @form.create_signature_field("test1")
+    @sig2 = @form.create_signature_field("test2")
+    @handler = HexaPDF::Document::Signatures::DefaultHandler.new(
+      certificate: CERTIFICATES.signer_certificate,
+      key: CERTIFICATES.signer_key,
+      certificate_chain: [CERTIFICATES.ca_certificate]
+    )
+  end
+
+  describe "DefaultHandler" do
+    it "returns the filter name" do
+      assert_equal(:'Adobe.PPKLite', @handler.filter_name)
+    end
+
+    it "returns the sub filter algorithm name" do
+      assert_equal(:'adbe.pkcs7.detached', @handler.sub_filter_name)
+    end
+
+    it "returns the size of serialized signature" do
+      assert_equal(1310, @handler.signature_size)
+    end
+
+    it "allows setting the DocMDP permissions" do
+      assert_nil(@handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :no_changes
+      assert_equal(1, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 1
+      assert_equal(1, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :form_filling
+      assert_equal(2, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 2
+      assert_equal(2, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :form_filling_and_annotations
+      assert_equal(3, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 3
+      assert_equal(3, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = nil
+      assert_nil(@handler.doc_mdp_permissions)
+
+      assert_raises(ArgumentError) { @handler.doc_mdp_permissions = :other }
+    end
+
+    it "can sign the data using PKCS7" do
+      data = "data"
+      store = OpenSSL::X509::Store.new
+      store.add_cert(CERTIFICATES.ca_certificate)
+
+      pkcs7 = OpenSSL::PKCS7.new(@handler.sign(data))
+      assert(pkcs7.detached?)
+      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                   pkcs7.certificates)
+      assert(pkcs7.verify([], store, data, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY))
+    end
+
+    describe "finalize_objects" do
+      before do
+        @field = @doc.wrap({})
+        @obj = @doc.wrap({})
+      end
+
+      it "does nothing if no finalization tasks need to be done" do
+        @handler.finalize_objects(@field, @obj)
+        assert(@field.empty?)
+        assert(@obj.empty?)
+      end
+
+      it "sets the reason, location and contact info fields" do
+        @handler.reason = 'Reason'
+        @handler.location = 'Location'
+        @handler.contact_info = 'Contact'
+        @handler.finalize_objects(@field, @obj)
+        assert(@field.empty?)
+        assert_equal({Reason: 'Reason', Location: 'Location', ContactInfo: 'Contact'}, @obj.value)
+      end
+
+      it "applies the specified DocMDP permissions" do
+        @handler.doc_mdp_permissions = :no_changes
+        @handler.finalize_objects(@field, @obj)
+        ref = @obj[:Reference][0]
+        assert_equal(:DocMDP, ref[:TransformMethod])
+        assert_equal(:SHA1, ref[:DigestMethod])
+        assert_equal(1, ref[:TransformParams][:P])
+        assert_equal(:'1.2', ref[:TransformParams][:V])
+        assert_same(@obj, @doc.catalog[:Perms][:DocMDP])
+      end
+
+      it "fails if DocMDP should be set but there is already a signature" do
+        @handler.doc_mdp_permissions = :no_changes
+        2.times do
+          field = @doc.acro_form(create: true).create_signature_field('test')
+          field.field_value = :something
+        end
+        assert_raises(HexaPDF::Error) { @handler.finalize_objects(@field, @obj) }
+      end
+    end
+  end
+
+  it "iterates over all signature dictionaries" do
+    assert_equal([], @doc.signatures.to_a)
+    @sig1.field_value = :sig1
+    @sig2.field_value = :sig2
+    assert_equal([:sig1, :sig2], @doc.signatures.to_a)
+  end
+
+  it "returns the number of signature dictionaries" do
+    @sig1.field_value = :sig1
+    assert_equal(1, @doc.signatures.count)
+  end
+
+  describe "handler" do
+    it "return the initialized handler" do
+      handler = @doc.signatures.handler(certificate: 'cert', reason: 'reason')
+      assert_equal('cert', handler.certificate)
+      assert_equal('reason', handler.reason)
+    end
+
+    it "fails if the given task is not available" do
+      assert_raises(HexaPDF::Error) { @doc.signatures.handler(name: :unknown) }
+    end
+  end
+
+  describe "add" do
+    before do
+      @doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+      @io = StringIO.new
+    end
+
+    it "uses the provided signature dictionary" do
+      sig = @doc.add({Type: :Sig, Key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      assert_equal(:value, @doc.signatures.to_a[0][:Key])
+      refute_equal(:value, @doc.acro_form.each_field.first[:Key])
+    end
+
+    it "creates the signature dictionary if none is provided" do
+      @doc.signatures.add(@io, @handler)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      refute(@doc.acro_form.each_field.first.key?(:Contents))
+    end
+
+    it "sets the needed information on the signature dictionary" do
+      def @handler.finalize_objects(sigfield, sig)
+        sig[:key] = :sig
+        sigfield[:key] = :sig_field
+      end
+      @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      sig = @doc.signatures.first
+      assert_equal(:'Adobe.PPKLite', sig[:Filter])
+      assert_equal(:'adbe.pkcs7.detached', sig[:SubFilter])
+      assert_equal([0, 968, 3590, 2425], sig[:ByteRange].value)
+      assert_equal(:sig, sig[:key])
+      assert_equal(:sig_field, @doc.acro_form.each_field.first[:key])
+      assert(sig.key?(:Contents))
+      assert(sig.key?(:M))
+    end
+
+    it "creates the main form dictionary if necessary" do
+      @doc.signatures.add(@io, @handler)
+      assert(@doc.acro_form)
+      assert_equal([:signatures_exist, :append_only], @doc.acro_form.signature_flags)
+    end
+
+    it "uses the provided signature field" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      @doc.signatures.add(@io, @handler, signature: field)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      refute_nil(field.field_value)
+      assert_nil(@doc.signatures.first[:T])
+    end
+
+    it "uses an existing signature field if possible" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      field.field_value = sig = @doc.add({Type: :Sig, key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      assert_same(sig, @doc.signatures.first)
+    end
+
+    it "creates the signature field if necessary" do
+      @doc.acro_form(create: true).create_text_field('Signature2')
+      @doc.signatures.add(@io, @handler)
+      field = @doc.acro_form.field_by_name("Signature3")
+      assert_equal(:Sig, field.field_type)
+      refute_nil(field.field_value)
+      assert_equal(1, field.each_widget.count)
+    end
+
+    it "handles different xref section types correctly when determing the offsets" do
+      @doc.delete(7)
+      sig = @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      assert_equal([0, 968, 3590, 2412], sig[:ByteRange].value)
+    end
+
+    it "allows writing to a file in addition to writing to an IO" do
+      tempfile = Tempfile.new('hexapdf-signature')
+      tempfile.close
+      @doc.signatures.add(tempfile.path, @handler)
+      doc = HexaPDF::Document.open(tempfile.path)
+      assert(doc.signatures.first.verify(allow_self_signed: true).success?)
+    end
+
+    it "adds a new revision with the signature" do
+      @doc.signatures.add(@io, @handler)
+      signed_doc = HexaPDF::Document.new(io: @io)
+      assert(signed_doc.signatures.first.verify)
+    end
+  end
+end

data/test/hexapdf/encryption/test_standard_security_handler.rb

@@ -229,19 +229,21 @@ describe HexaPDF::Encryption::StandardSecurityHandler do
       assert_match(/Invalid \/R/i, exp.message)
     end
 
-    it "fails if the ID in the document's trailer is missing although it is needed" do
+    it "fails if the supplied password is invalid" do
       exp = assert_raises(HexaPDF::EncryptionError) do
-        @handler.set_up_decryption({Filter: :Standard, V: 2, R: 2})
+        @handler.set_up_decryption({Filter: :Standard, V: 2, R: 6, U: 'a' * 48, O: 'a' * 48,
+                                    UE: 'a' * 32, OE: 'a' * 32})
       end
-      assert_match(/Document ID/i, exp.message)
+      assert_match(/Invalid password/i, exp.message)
     end
 
-    it "fails if the supplied password is invalid" do
+    it "assigns empty strings to the trailer's ID field if it is missing" do
+      refute(@document.trailer.key?(:ID))
       exp = assert_raises(HexaPDF::EncryptionError) do
-        @handler.set_up_decryption({Filter: :Standard, V: 2, R: 6, U: 'a' * 48, O: 'a' * 48,
-                                    UE: 'a' * 32, OE: 'a' * 32})
+        @handler.set_up_decryption({Filter: :Standard, V: 1, R: 2, U: 'a' * 48, O: 'a' * 48, P: 15})
       end
       assert_match(/Invalid password/i, exp.message)
+      assert_equal(['', ''], @document.trailer[:ID].value)
     end
 
     describe "/Perms field checking" do