hexapdf 0.20.0 → 0.20.4

data/lib/hexapdf/type/signature/handler.rb

@@ -78,6 +78,45 @@ module HexaPDF
           raise "Needs to be implemented by specific handlers"
         end
 
+        # Verifies general signature properties and prepares the provided OpenSSL::X509::Store
+        # object for use by concrete implementations.
+        #
+        # Needs to be called by specific handlers.
+        def verify(store, allow_self_signed: false)
+          result = VerificationResult.new
+          check_certified_signature(result)
+          verify_signing_time(result)
+          store.verify_callback =
+            store_verification_callback(result, allow_self_signed: allow_self_signed)
+          result
+        end
+
+        protected
+
+        # Verifies that the signing time was within the validity period of the signer certificate.
+        def verify_signing_time(result)
+          time = signing_time
+          cert = signer_certificate
+          if time && cert && (time < cert.not_before || time > cert.not_after)
+            result.log(:error, "Signer certificate not valid at signing time")
+          end
+        end
+
+        DOCMDP_PERMS_MESSAGE_MAP = { # :nodoc:
+          1 => "No changes allowed",
+          2 => "Form filling and signing allowed",
+          3 => "Form filling, signing and annotation manipulation allowed",
+        }
+
+        # Sets an informational message on +result+ whether the signature is a certified signature.
+        def check_certified_signature(result)
+          sigref = signature_dict[:Reference]&.find {|ref| ref[:TransformMethod] == :DocMDP }
+          if sigref && signature_dict.document.catalog[:Perms]&.[](:DocMDP) == signature_dict
+            perms = sigref[:TransformParams]&.[](:P) || 2
+            result.log(:info, "Certified signature (#{DOCMDP_PERMS_MESSAGE_MAP[perms]})")
+          end
+        end
+
         # Returns the block that should be used as the OpenSSL::X509::Store verification callback.
         #
         # +result+:: The VerificationResult object that should be updated if problems are found.
@@ -94,17 +133,6 @@ module HexaPDF
           end
         end
 
-        protected
-
-        # Verifies that the signing time was within the validity period of the signer certificate.
-        def verify_signing_time(result)
-          time = signing_time
-          cert = signer_certificate
-          if time && (time < cert.not_before || time > cert.not_after)
-            result.log(:error, "Signer certificate not valid at signing time")
-          end
-        end
-
       end
 
     end

data/lib/hexapdf/version.rb

@@ -37,6 +37,6 @@
 module HexaPDF
 
   # The version of HexaPDF.
-  VERSION = '0.20.0'
+  VERSION = '0.20.4'
 
 end

data/lib/hexapdf/writer.rb

@@ -90,12 +90,20 @@ module HexaPDF
     #
     # For this method to work the document must have been created from an existing file.
     def write_incremental
-      @document.revisions.parser.io.seek(0, IO::SEEK_SET)
-      IO.copy_stream(@document.revisions.parser.io, @io)
+      parser = @document.revisions.parser
+
+      _, orig_trailer = parser.load_revision(parser.startxref_offset)
+      orig_trailer = @document.wrap(orig_trailer, type: :XXTrailer)
+      if @document.revisions.current.trailer[:Encrypt]&.value != orig_trailer[:Encrypt]&.value
+        raise HexaPDF::Error, "Used encryption cannot be modified when doing incremental writing"
+      end
+
+      parser.io.seek(0, IO::SEEK_SET)
+      IO.copy_stream(parser.io, @io)
       @io << "\n"
 
       @rev_size = @document.revisions.current.next_free_oid
-      @use_xref_streams = @document.revisions.parser.contains_xref_streams?
+      @use_xref_streams = parser.contains_xref_streams?
 
       revision = Revision.new(@document.revisions.current.trailer)
       @document.revisions.each do |rev|

data/test/hexapdf/encryption/test_security_handler.rb

@@ -294,9 +294,17 @@ describe HexaPDF::Encryption::SecurityHandler do
       assert_equal('string', obj.stream)
     end
 
-    it "doesn't decrypt a document's Encrypt dictionary" do
-      @document.trailer[:Encrypt] = @obj
-      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    it "doesn't decrypt a document's Encrypt dictionaries" do
+      @document = HexaPDF::Document.new
+      @document.trailer[:Encrypt] = @document.add({Key: "Something"})
+      @document.revisions.add
+      @document.trailer[:Encrypt] = @document.add({Key: "Otherthing"})
+      @handler = TestHandler.new(@document)
+
+      assert_equal("Something",
+                   @handler.decrypt(@document.revisions[0].trailer[:Encrypt])[:Key])
+      assert_equal("Otherthing",
+                   @handler.decrypt(@document.revisions[1].trailer[:Encrypt])[:Key])
     end
 
     it "defers handling encryption to a Crypt filter is specified" do

data/test/hexapdf/font/test_type1_wrapper.rb

@@ -103,5 +103,9 @@ describe HexaPDF::Font::Type1Wrapper do
     it "sets the circular reference" do
       assert_same(@times_wrapper, @times_wrapper.pdf_object.font_wrapper)
     end
+
+    it "makes sure that the PDF dictionaries are indirect" do
+      assert(@times_wrapper.pdf_object.indirect?)
+    end
   end
 end

data/test/hexapdf/task/test_optimize.rb

@@ -168,12 +168,14 @@ describe HexaPDF::Task::Optimize do
         page1.resources[:XObject][:test] = @doc.add({})
         page1.resources[:XObject][:used_on_page2] = @doc.add({})
         page1.resources[:XObject][:unused] = @doc.add({})
-        page1.contents = "/test Do"
+        page1.contents = "/test Do /InvalidRef Do"
         page2 = @doc.pages.add
         page2.resources[:XObject] = {}
         page2.resources[:XObject][:used_on2] = page1.resources[:XObject][:used_on_page2]
         page2.resources[:XObject][:also_unused] = page1.resources[:XObject][:unused]
         page2.contents = "/used_on2 Do"
+        page3 = @doc.pages.add
+        page3.contents = "/unused Do   "
 
         @doc.task(:optimize, prune_page_resources: true, compress_pages: compress_pages)
 
@@ -182,6 +184,7 @@ describe HexaPDF::Task::Optimize do
         refute(page1.resources[:XObject].key?(:unused))
         assert(page2.resources[:XObject].key?(:used_on2))
         refute(page2.resources[:XObject].key?(:also_unused))
+        assert_equal("/unused Do#{compress_pages ? "\n" : '   '}", page3.contents)
       end
     end
   end

data/test/hexapdf/test_writer.rb

@@ -40,7 +40,7 @@ describe HexaPDF::Writer do
       219
       %%EOF
       3 0 obj
-      <</Producer(HexaPDF version 0.20.0)>>
+      <</Producer(HexaPDF version 0.20.4)>>
       endobj
       xref
       3 1
@@ -72,7 +72,7 @@ describe HexaPDF::Writer do
       141
       %%EOF
       6 0 obj
-      <</Producer(HexaPDF version 0.20.0)>>
+      <</Producer(HexaPDF version 0.20.4)>>
       endobj
       2 0 obj
       <</Length 10>>stream
@@ -123,6 +123,17 @@ describe HexaPDF::Writer do
       HexaPDF::Writer.write(doc, output_io, incremental: true)
       refute_match(/^trailer/, output_io.string)
     end
+
+    it "raises an error if the used encryption was changed" do
+      io = StringIO.new
+      doc = HexaPDF::Document.new
+      doc.encrypt
+      doc.write(io)
+
+      doc = HexaPDF::Document.new(io: io)
+      doc.encrypt(owner_password: 'test')
+      assert_raises(HexaPDF::Error) { doc.write('notused', incremental: true) }
+    end
   end
 
   it "creates an xref stream if no xref stream is in a revision but object streams are" do

data/test/hexapdf/type/signature/test_handler.rb

@@ -2,6 +2,7 @@
 
 require 'test_helper'
 require 'hexapdf/type/signature'
+require 'hexapdf/document'
 require 'time'
 require 'ostruct'
 
@@ -10,6 +11,7 @@ describe HexaPDF::Type::Signature::Handler do
     @time = Time.parse("2021-11-14 7:00")
     @dict = {Name: "handler", M: @time}
     @handler = HexaPDF::Type::Signature::Handler.new(@dict)
+    @result = HexaPDF::Type::Signature::VerificationResult.new
   end
 
   it "returns the signer name" do
@@ -30,7 +32,6 @@ describe HexaPDF::Type::Signature::Handler do
 
   describe "store_verification_callback" do
     before do
-      @result = HexaPDF::Type::Signature::VerificationResult.new
       @context = OpenStruct.new
     end
 
@@ -40,7 +41,7 @@ describe HexaPDF::Type::Signature::Handler do
         [true, false].each do |allow_self_signed|
           @result.messages.clear
           @context.error = error
-          @handler.store_verification_callback(@result, allow_self_signed: allow_self_signed).
+          @handler.send(:store_verification_callback, @result, allow_self_signed: allow_self_signed).
             call(false, @context)
           assert_equal(1, @result.messages.size)
           assert_match(/self-signed certificate/i, @result.messages[0].content)
@@ -51,26 +52,51 @@ describe HexaPDF::Type::Signature::Handler do
   end
 
   it "verifies the signing time" do
-    result = HexaPDF::Type::Signature::VerificationResult.new
     [
       [true, '6:00', '8:00'],
       [false, '7:30', '8:00'],
       [false, '5:00', '6:00'],
     ].each do |success, not_before, not_after|
-      result.messages.clear
+      @result.messages.clear
       @handler.define_singleton_method(:signer_certificate) do
         OpenStruct.new.tap do |struct|
           struct.not_before = Time.parse("2021-11-14 #{not_before}")
           struct.not_after = Time.parse("2021-11-14 #{not_after}")
         end
       end
-      @handler.send(:verify_signing_time, result)
+      @handler.send(:verify_signing_time, @result)
       if success
-        assert(result.messages.empty?)
+        assert(@result.messages.empty?)
       else
-        assert_equal(1, result.messages.size)
+        assert_equal(1, @result.messages.size)
       end
       @handler.singleton_class.remove_method(:signer_certificate)
     end
   end
+
+  describe "check_certified_signature" do
+    before do
+      @dict = HexaPDF::Document.new.wrap({Type: :Sig})
+      @handler.instance_variable_set(:@signature_dict, @dict)
+    end
+
+    it "logs nothing if there is no signature reference dictionary" do
+      @handler.send(:check_certified_signature, @result)
+      assert(@result.messages.empty?)
+    end
+
+    it "logs nothing if the global DocMDP permissions entry doesn't point to the signature" do
+      @dict[:Reference] = [{TransformMethod: :DocMDP}]
+      @handler.send(:check_certified_signature, @result)
+      assert(@result.messages.empty?)
+    end
+
+    it "logs a message if the signature is a certified one" do
+      @dict[:Reference] = [{TransformMethod: :DocMDP}]
+      @dict.document.catalog[:Perms] = {DocMDP: @dict}
+      @handler.send(:check_certified_signature, @result)
+      assert_equal(1, @result.messages.size)
+      assert_match(/certified signature/i, @result.messages[0].content)
+    end
+  end
 end

data/test/hexapdf/type/test_annotation.rb

@@ -77,7 +77,13 @@ describe HexaPDF::Type::Annotation do
     stream[:BBox] = [1, 2, 3, 4]
     appearance = @annot.appearance
     assert_same(stream.data, appearance.data)
-    assert_equal(:Form, appearance[:Subtype])
+    assert_kind_of(HexaPDF::Type::Form, appearance)
+
+    stream[:Type] = :XObject
+    stream[:Subtype] = :Form
+    appearance = @annot.appearance
+    assert_same(stream.data, appearance.data)
+    assert_kind_of(HexaPDF::Type::Form, appearance)
 
     @annot[:AP][:N] = {X: {}}
     assert_nil(@annot.appearance)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hexapdf
 version: !ruby/object:Gem::Version
-  version: 0.20.0
+  version: 0.20.4
 platform: ruby
 authors:
 - Thomas Leitner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-12-30 00:00:00.000000000 Z
+date: 2022-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cmdparse
@@ -671,7 +671,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
 summary: HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby