hexapdf 0.19.3 → 0.20.3

data/lib/hexapdf/type/signature.rb

@@ -0,0 +1,236 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2021 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'openssl'
+require 'hexapdf/dictionary'
+require 'hexapdf/error'
+
+module HexaPDF
+  module Type
+
+    # Represents a digital signature that is used to authenticate a user and the contents of the
+    # document.
+    #
+    # == Signature Verification
+    #
+    # Verification of signatures is a complex topic and what counts as completely verified may
+    # differ from use-case to use-case. Therefore HexaPDF provides as much diagnostic information as
+    # possible so that the user can decide whether a signature is valid.
+    #
+    # By defining a custom signature handler one is able to also customize the signature
+    # verification.
+    #
+    # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::AcroForm::SignatureField
+    class Signature < Dictionary
+
+      autoload :Handler, 'hexapdf/type/signature/handler'
+      autoload :AdbeX509RsaSha1, 'hexapdf/type/signature/adbe_x509_rsa_sha1'
+      autoload :AdbePkcs7Detached, 'hexapdf/type/signature/adbe_pkcs7_detached'
+      autoload :VerificationResult, 'hexapdf/type/signature/verification_result'
+
+      # Represents a transform parameters dictionary.
+      #
+      # The allowed fields depend on the transform method, so not all fields are available all the
+      # time.
+      #
+      # See: PDF1.7 s12.8.2.2, s12.8.2.3, s12.8.2.4
+      class TransformParams < Dictionary
+
+        define_type :TransformParams
+
+        define_field :Type, type: Symbol, default: type
+
+        # For DocMDP, also used by UR
+        define_field :P, type: [Integer, Boolean]
+        define_field :V, type: Symbol, allowed_values: [:"1.2", :"2.2"]
+
+        # For UR
+        define_field :Document,  type: PDFArray
+        define_field :Msg,       type: String
+        define_field :Annots,    type: PDFArray, version: '1.5'
+        define_field :Form,      type: PDFArray, version: '1.5'
+        define_field :Signature, type: PDFArray
+        define_field :EF,        type: PDFArray, version: '1.6'
+
+        # For FieldMDP
+        define_field :Action, type: Symbol, allowed_values: [:All, :Include, :Exclude]
+        define_field :Fields, type: PDFArray
+
+        private
+
+        # All values allowed for the /Annots field
+        FIELD_ANNOTS_ALLOWED_VALUES = [:Create, :Delete, :Modify, :Copy, :Import, :Online, :SummaryView]
+
+        # All values allowed for the /Form field
+        FIELD_FORM_ALLOWED_VALUES = [:Add, :Delete, :Fillin, :Import, :Export, :SubmitStandalone,
+                                     :SpawnTemplate, :BarcodePlaintext, :Online]
+
+        # All values allowed for the /EF field
+        FIELD_EF_ALLOWED_VALUES = [:Create, :Delete, :Modify, :Import]
+
+        def perform_validation #:nodoc:
+          super
+          # We need to perform the checks here since the values are arrays and not single elements
+          if (annots = self[:Annots]) && !(annots = annots.value - FIELD_ANNOTS_ALLOWED_VALUES).empty?
+            yield("Field /Annots contains invalid entries: #{annots.join(', ')}", true)
+            value[:Annots].value -= annots
+          end
+          if (form = self[:Form]) && !(form = form.value - FIELD_FORM_ALLOWED_VALUES).empty?
+            yield("Field /Form contains invalid entries: #{form.join(', ')}", true)
+            value[:Form].value -= form
+          end
+          if (ef = self[:EF]) && !(ef = ef.value - FIELD_EF_ALLOWED_VALUES).empty?
+            yield("Field /EF contains invalid entries: #{ef.join(', ')}", true)
+            value[:EF].value -= ef
+          end
+        end
+
+      end
+
+      # Represents a signature reference dictionary.
+      #
+      # See: PDF1.7 s12.8.1, PDF2.0 s12.8.1, HexaPDF::Type::Signature
+      class SignatureReference < Dictionary
+
+        define_type :SigRef
+
+        define_field :Type,            type: Symbol, default: type
+        define_field :TransformMethod, type: Symbol, required: true,
+          allowed_values: [:DocMDP, :UR, :FieldMDP]
+        define_field :TransformParams, type: Dictionary
+        define_field :Data,            type: ::Object
+        define_field :DigestMethod,    type: Symbol, version: '1.5',
+          allowed_values: [:MD5, :SHA1, :SHA256, :SHA384, :SHA512, :RIPEMD160]
+
+        private
+
+        def perform_validation #:nodoc:
+          super
+          if self[:TransformMethod] == :FieldMDP && !key?(:Data)
+            yield("Field /Data is required when /TransformMethod is /FieldMDP")
+          end
+        end
+
+      end
+
+      define_field :Type,          type: Symbol, default: :Sig,
+        allowed_values: [:Sig, :DocTimeStamp]
+      define_field :Filter,        type: Symbol
+      define_field :SubFilter,     type: Symbol
+      define_field :Contents,      type: PDFByteString
+      define_field :Cert,          type: [PDFArray, PDFByteString]
+      define_field :ByteRange,     type: PDFArray
+      define_field :Reference,     type: PDFArray
+      define_field :Changes,       type: PDFArray
+      define_field :Name,          type: String
+      define_field :M,             type: PDFDate
+      define_field :Location,      type: String
+      define_field :Reason,        type: String
+      define_field :ContactInfo,   type: String
+      define_field :R,             type: Integer
+      define_field :V,             type: Integer, default: 0, version: '1.5'
+      define_field :Prop_Build,    type: Dictionary, version: '1.5'
+      define_field :Prop_AuthTime, type: Integer, version: '1.5'
+      define_field :Prop_AuthType, type: Symbol, version: '1.5',
+        allowed_values: [:PIN, :Password, :Fingerprint]
+
+      # Returns the name of the person or authority that signed the document.
+      def signer_name
+        signature_handler.signer_name
+      end
+
+      # Returns the time of the signing.
+      def signing_time
+        signature_handler.signing_time
+      end
+
+      # Returns the reason for the signing.
+      def signing_reason
+        self[:Reason]
+      end
+
+      # Returns the location of the signing.
+      def signing_location
+        self[:Location]
+      end
+
+      # Returns the signature type based on the /SubFilter.
+      def signature_type
+        self[:SubFilter].to_s
+      end
+
+      # Returns the signature handler for this signature based on the /SubFilter entry.
+      def signature_handler
+        cache(:signature_handler) do
+          handler_class = document.config.constantize('signature.sub_filter_map', self[:SubFilter]) do
+            raise HexaPDF::Error, "No or unknown signature handler set: #{self[:SubFilter]}"
+          end
+          handler_class.new(self)
+        end
+      end
+
+      # Returns the raw signature value.
+      def contents
+        self[:Contents]
+      end
+
+      # Returns the signed data as indicated by the /ByteRange entry as byte string.
+      def signed_data
+        unless document.revisions.parser
+          raise HexaPDF::Error, "Can't load signed data without existing PDF file"
+        end
+        io = document.revisions.parser.io
+        data = ''.b
+        self[:ByteRange]&.each_slice(2) do |offset, length|
+          io.pos = offset
+          data << io.read(length)
+        end
+        data
+      end
+
+      # Returns a VerificationResult object with the verification information.
+      def verify(default_paths: true, trusted_certs: [], allow_self_signed: false)
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths if default_paths
+        store.purpose = OpenSSL::X509::PURPOSE_SMIME_SIGN
+        trusted_certs.each {|cert| store.add_cert(cert) }
+        signature_handler.verify(store, allow_self_signed: allow_self_signed)
+      end
+
+    end
+
+  end
+end

data/lib/hexapdf/type.rb

@@ -72,6 +72,7 @@ module HexaPDF
     autoload(:FontType3, 'hexapdf/type/font_type3')
     autoload(:IconFit, 'hexapdf/type/icon_fit')
     autoload(:AcroForm, 'hexapdf/type/acro_form')
+    autoload(:Signature, 'hexapdf/type/signature')
 
   end
 

data/lib/hexapdf/version.rb

@@ -37,6 +37,6 @@
 module HexaPDF
 
   # The version of HexaPDF.
-  VERSION = '0.19.3'
+  VERSION = '0.20.3'
 
 end

data/lib/hexapdf/writer.rb

@@ -44,8 +44,10 @@ module HexaPDF
   # Writes the contents of a PDF document to an IO stream.
   class Writer
 
-    # Writes the document to the IO object. If +incremental+ is +true+ and the document was created
-    # from an existing PDF file, the changes are appended to a full copy of the source document.
+    # Writes the document to the IO object and returns the last XRefSection written.
+    #
+    # If +incremental+ is +true+ and the document was created from an existing PDF file, the changes
+    # are appended to a full copy of the source document.
     def self.write(document, io, incremental: false)
       if incremental && document.revisions.parser
         new(document, io).write_incremental
@@ -70,32 +72,46 @@ module HexaPDF
       @use_xref_streams = false
     end
 
-    # Writes the document to the IO object.
+    # Writes the document to the IO object and returns the last XRefSection written.
     def write
       write_file_header
 
-      pos = nil
+      pos = xref_section = nil
       @document.trailer.info[:Producer] = "HexaPDF version #{HexaPDF::VERSION}"
       @document.revisions.each do |rev|
-        pos = write_revision(rev, pos)
+        pos, xref_section = write_revision(rev, pos)
       end
+
+      xref_section
     end
 
-    # Writes the complete source document and one revision containing all changes to the IO.
+    # Writes the complete source document unmodified to the IO and then one revision containing all
+    # changes. Returns the XRefSection of that one revision.
     #
     # For this method to work the document must have been created from an existing file.
     def write_incremental
-      @document.revisions.parser.io.seek(0, IO::SEEK_SET)
-      IO.copy_stream(@document.revisions.parser.io, @io)
+      parser = @document.revisions.parser
+
+      _, orig_trailer = parser.load_revision(parser.startxref_offset)
+      orig_trailer = @document.wrap(orig_trailer, type: :XXTrailer)
+      if @document.revisions.current.trailer[:Encrypt]&.value != orig_trailer[:Encrypt]&.value
+        raise HexaPDF::Error, "Used encryption cannot be modified when doing incremental writing"
+      end
+
+      parser.io.seek(0, IO::SEEK_SET)
+      IO.copy_stream(parser.io, @io)
+      @io << "\n"
 
       @rev_size = @document.revisions.current.next_free_oid
-      @use_xref_streams = @document.revisions.parser.contains_xref_streams?
+      @use_xref_streams = parser.contains_xref_streams?
 
       revision = Revision.new(@document.revisions.current.trailer)
       @document.revisions.each do |rev|
         rev.each_modified_object {|obj| revision.send(:add_without_check, obj) }
       end
-      write_revision(revision, @document.revisions.parser.startxref_offset)
+      _pos, xref_section = write_revision(revision, @document.revisions.parser.startxref_offset)
+
+      xref_section
     end
 
     private
@@ -150,7 +166,7 @@ module HexaPDF
 
       write_startxref(startxref)
 
-      startxref
+      [startxref, xref_section]
     end
 
     # :call-seq:

data/test/hexapdf/content/test_processor.rb

@@ -156,7 +156,7 @@ describe HexaPDF::Content::Processor do
 
       it "fails if the current font is a vertical font" do
         @processor.graphics_state.font.define_singleton_method(:writing_mode) { :vertical }
-        assert_raises(NotImplementedError) { @processor.send(:decode_text_with_positioning, "a") }
+        assert_raises(RuntimeError) { @processor.send(:decode_text_with_positioning, "a") }
       end
     end
   end

data/test/hexapdf/document/test_signatures.rb

@@ -0,0 +1,225 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'stringio'
+require 'tempfile'
+require 'hexapdf/document'
+require_relative '../type/signature/common'
+
+describe HexaPDF::Document::Signatures do
+  before do
+    @doc = HexaPDF::Document.new
+    @form = @doc.acro_form(create: true)
+    @sig1 = @form.create_signature_field("test1")
+    @sig2 = @form.create_signature_field("test2")
+    @handler = HexaPDF::Document::Signatures::DefaultHandler.new(
+      certificate: CERTIFICATES.signer_certificate,
+      key: CERTIFICATES.signer_key,
+      certificate_chain: [CERTIFICATES.ca_certificate]
+    )
+  end
+
+  describe "DefaultHandler" do
+    it "returns the filter name" do
+      assert_equal(:'Adobe.PPKLite', @handler.filter_name)
+    end
+
+    it "returns the sub filter algorithm name" do
+      assert_equal(:'adbe.pkcs7.detached', @handler.sub_filter_name)
+    end
+
+    it "returns the size of serialized signature" do
+      assert_equal(1310, @handler.signature_size)
+    end
+
+    it "allows setting the DocMDP permissions" do
+      assert_nil(@handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :no_changes
+      assert_equal(1, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 1
+      assert_equal(1, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :form_filling
+      assert_equal(2, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 2
+      assert_equal(2, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = :form_filling_and_annotations
+      assert_equal(3, @handler.doc_mdp_permissions)
+      @handler.doc_mdp_permissions = 3
+      assert_equal(3, @handler.doc_mdp_permissions)
+
+      @handler.doc_mdp_permissions = nil
+      assert_nil(@handler.doc_mdp_permissions)
+
+      assert_raises(ArgumentError) { @handler.doc_mdp_permissions = :other }
+    end
+
+    it "can sign the data using PKCS7" do
+      data = "data"
+      store = OpenSSL::X509::Store.new
+      store.add_cert(CERTIFICATES.ca_certificate)
+
+      pkcs7 = OpenSSL::PKCS7.new(@handler.sign(data))
+      assert(pkcs7.detached?)
+      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                   pkcs7.certificates)
+      assert(pkcs7.verify([], store, data, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY))
+    end
+
+    describe "finalize_objects" do
+      before do
+        @field = @doc.wrap({})
+        @obj = @doc.wrap({})
+      end
+
+      it "does nothing if no finalization tasks need to be done" do
+        @handler.finalize_objects(@field, @obj)
+        assert(@field.empty?)
+        assert(@obj.empty?)
+      end
+
+      it "sets the reason, location and contact info fields" do
+        @handler.reason = 'Reason'
+        @handler.location = 'Location'
+        @handler.contact_info = 'Contact'
+        @handler.finalize_objects(@field, @obj)
+        assert(@field.empty?)
+        assert_equal({Reason: 'Reason', Location: 'Location', ContactInfo: 'Contact'}, @obj.value)
+      end
+
+      it "applies the specified DocMDP permissions" do
+        @handler.doc_mdp_permissions = :no_changes
+        @handler.finalize_objects(@field, @obj)
+        ref = @obj[:Reference][0]
+        assert_equal(:DocMDP, ref[:TransformMethod])
+        assert_equal(:SHA1, ref[:DigestMethod])
+        assert_equal(1, ref[:TransformParams][:P])
+        assert_equal(:'1.2', ref[:TransformParams][:V])
+        assert_same(@obj, @doc.catalog[:Perms][:DocMDP])
+      end
+
+      it "fails if DocMDP should be set but there is already a signature" do
+        @handler.doc_mdp_permissions = :no_changes
+        2.times do
+          field = @doc.acro_form(create: true).create_signature_field('test')
+          field.field_value = :something
+        end
+        assert_raises(HexaPDF::Error) { @handler.finalize_objects(@field, @obj) }
+      end
+    end
+  end
+
+  it "iterates over all signature dictionaries" do
+    assert_equal([], @doc.signatures.to_a)
+    @sig1.field_value = :sig1
+    @sig2.field_value = :sig2
+    assert_equal([:sig1, :sig2], @doc.signatures.to_a)
+  end
+
+  it "returns the number of signature dictionaries" do
+    @sig1.field_value = :sig1
+    assert_equal(1, @doc.signatures.count)
+  end
+
+  describe "handler" do
+    it "return the initialized handler" do
+      handler = @doc.signatures.handler(certificate: 'cert', reason: 'reason')
+      assert_equal('cert', handler.certificate)
+      assert_equal('reason', handler.reason)
+    end
+
+    it "fails if the given task is not available" do
+      assert_raises(HexaPDF::Error) { @doc.signatures.handler(name: :unknown) }
+    end
+  end
+
+  describe "add" do
+    before do
+      @doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+      @io = StringIO.new
+    end
+
+    it "uses the provided signature dictionary" do
+      sig = @doc.add({Type: :Sig, Key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      assert_equal(:value, @doc.signatures.to_a[0][:Key])
+      refute_equal(:value, @doc.acro_form.each_field.first[:Key])
+    end
+
+    it "creates the signature dictionary if none is provided" do
+      @doc.signatures.add(@io, @handler)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      refute(@doc.acro_form.each_field.first.key?(:Contents))
+    end
+
+    it "sets the needed information on the signature dictionary" do
+      def @handler.finalize_objects(sigfield, sig)
+        sig[:key] = :sig
+        sigfield[:key] = :sig_field
+      end
+      @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      sig = @doc.signatures.first
+      assert_equal(:'Adobe.PPKLite', sig[:Filter])
+      assert_equal(:'adbe.pkcs7.detached', sig[:SubFilter])
+      assert_equal([0, 968, 3590, 2425], sig[:ByteRange].value)
+      assert_equal(:sig, sig[:key])
+      assert_equal(:sig_field, @doc.acro_form.each_field.first[:key])
+      assert(sig.key?(:Contents))
+      assert(sig.key?(:M))
+    end
+
+    it "creates the main form dictionary if necessary" do
+      @doc.signatures.add(@io, @handler)
+      assert(@doc.acro_form)
+      assert_equal([:signatures_exist, :append_only], @doc.acro_form.signature_flags)
+    end
+
+    it "uses the provided signature field" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      @doc.signatures.add(@io, @handler, signature: field)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      refute_nil(field.field_value)
+      assert_nil(@doc.signatures.first[:T])
+    end
+
+    it "uses an existing signature field if possible" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      field.field_value = sig = @doc.add({Type: :Sig, key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      assert_same(sig, @doc.signatures.first)
+    end
+
+    it "creates the signature field if necessary" do
+      @doc.acro_form(create: true).create_text_field('Signature2')
+      @doc.signatures.add(@io, @handler)
+      field = @doc.acro_form.field_by_name("Signature3")
+      assert_equal(:Sig, field.field_type)
+      refute_nil(field.field_value)
+      assert_equal(1, field.each_widget.count)
+    end
+
+    it "handles different xref section types correctly when determing the offsets" do
+      @doc.delete(7)
+      sig = @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      assert_equal([0, 968, 3590, 2412], sig[:ByteRange].value)
+    end
+
+    it "allows writing to a file in addition to writing to an IO" do
+      tempfile = Tempfile.new('hexapdf-signature')
+      tempfile.close
+      @doc.signatures.add(tempfile.path, @handler)
+      doc = HexaPDF::Document.open(tempfile.path)
+      assert(doc.signatures.first.verify(allow_self_signed: true).success?)
+    end
+
+    it "adds a new revision with the signature" do
+      @doc.signatures.add(@io, @handler)
+      signed_doc = HexaPDF::Document.new(io: @io)
+      assert(signed_doc.signatures.first.verify)
+    end
+  end
+end

data/test/hexapdf/encryption/test_security_handler.rb

@@ -294,9 +294,17 @@ describe HexaPDF::Encryption::SecurityHandler do
       assert_equal('string', obj.stream)
     end
 
-    it "doesn't decrypt a document's Encrypt dictionary" do
-      @document.trailer[:Encrypt] = @obj
-      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    it "doesn't decrypt a document's Encrypt dictionaries" do
+      @document = HexaPDF::Document.new
+      @document.trailer[:Encrypt] = @document.add({Key: "Something"})
+      @document.revisions.add
+      @document.trailer[:Encrypt] = @document.add({Key: "Otherthing"})
+      @handler = TestHandler.new(@document)
+
+      assert_equal("Something",
+                   @handler.decrypt(@document.revisions[0].trailer[:Encrypt])[:Key])
+      assert_equal("Otherthing",
+                   @handler.decrypt(@document.revisions[1].trailer[:Encrypt])[:Key])
     end
 
     it "defers handling encryption to a Crypt filter is specified" do

data/test/hexapdf/task/test_optimize.rb

@@ -168,12 +168,14 @@ describe HexaPDF::Task::Optimize do
         page1.resources[:XObject][:test] = @doc.add({})
         page1.resources[:XObject][:used_on_page2] = @doc.add({})
         page1.resources[:XObject][:unused] = @doc.add({})
-        page1.contents = "/test Do"
+        page1.contents = "/test Do /InvalidRef Do"
         page2 = @doc.pages.add
         page2.resources[:XObject] = {}
         page2.resources[:XObject][:used_on2] = page1.resources[:XObject][:used_on_page2]
         page2.resources[:XObject][:also_unused] = page1.resources[:XObject][:unused]
         page2.contents = "/used_on2 Do"
+        page3 = @doc.pages.add
+        page3.contents = "/unused Do   "
 
         @doc.task(:optimize, prune_page_resources: true, compress_pages: compress_pages)
 
@@ -182,6 +184,7 @@ describe HexaPDF::Task::Optimize do
         refute(page1.resources[:XObject].key?(:unused))
         assert(page2.resources[:XObject].key?(:used_on2))
         refute(page2.resources[:XObject].key?(:also_unused))
+        assert_equal("/unused Do#{compress_pages ? "\n" : '   '}", page3.contents)
       end
     end
   end

data/test/hexapdf/test_document.rb

@@ -596,6 +596,34 @@ describe HexaPDF::Document do
     end
   end
 
+  describe "signature interface" do
+    it "returns whether the document is signed or not" do
+      refute(@doc.signed?)
+
+      form = @doc.acro_form(create: true)
+      form.signature_flag(:signatures_exist)
+      assert(@doc.signed?)
+    end
+
+    it "returns all signature fields of the document" do
+      form = @doc.acro_form(create: true)
+      sig1 = @doc.add({FT: :Sig, T: 'sig1', V: :sig1})
+      sig2 = @doc.add({FT: :Sig, T: 'sig2', V: :sig2})
+      form.root_fields << sig1 << sig2
+      assert_equal([:sig1, :sig2], @doc.signatures.to_a)
+    end
+
+    it "allows to conveniently sign a document" do
+      mock = Minitest::Mock.new
+      mock.expect(:handler, :handler, [{name: :handler, opt: :key}])
+      mock.expect(:add, :added, [:io, :handler, {signature: :sig, write_options: :write_options}])
+      @doc.instance_variable_set(:@signatures, mock)
+      result = @doc.sign(:io, handler: :handler, write_options: :write_options, signature: :sig, opt: :key)
+      assert_equal(:added, result)
+      mock.verify
+    end
+  end
+
   describe "listener interface" do
     it "allows registering and dispatching messages" do
       args = []

data/test/hexapdf/test_object.rb

@@ -182,7 +182,7 @@ describe HexaPDF::Object do
     assert_match(/\[5, 0\].*value=5/, obj.inspect)
   end
 
-  it "can be compared to another object or reference" do
+  it "can be compared to another object, reference or, if not indirect, a simple value" do
     obj = HexaPDF::Object.new(5, oid: 5)
 
     assert_equal(obj, HexaPDF::Object.new(obj))
@@ -192,6 +192,11 @@ describe HexaPDF::Object do
     refute_equal(obj, HexaPDF::Object.new(5, oid: 5, gen: 1))
 
     assert_equal(obj, HexaPDF::Reference.new(5, 0))
+
+    refute_equal(obj, 5)
+    obj.data.oid = 0
+    assert_equal(obj, 5)
+    assert_equal(obj, HexaPDF::Object.new(5))
   end
 
   it "works correctly as hash key, is interchangable in this regard with Reference objects" do
@@ -216,7 +221,7 @@ describe HexaPDF::Object do
     it "creates an independent object" do
       obj = HexaPDF::Object.new({a: "mystring", b: HexaPDF::Reference.new(1, 0), c: 5})
       copy = obj.deep_copy
-      refute_equal(copy, obj)
+      refute_same(copy, obj)
       assert_equal(copy.value, obj.value)
       refute_same(copy.value[:a], obj.value[:a])
     end