hexapdf 0.26.2 → 0.27.0

data/lib/hexapdf/type/outline_item.rb

@@ -126,6 +126,11 @@ module HexaPDF
                 lister: "flags", getter: "flagged?", setter: "flag", unsetter: "unflag",
                 value_getter: "self[:F]", value_setter: "self[:F]")
 
+      # Returns +true+ since outline items must always be indirect objects.
+      def must_be_indirect?
+        true
+      end
+
       # :call-seq:
       #   item.title          -> title
       #   item.title(value)   -> title
@@ -198,9 +203,46 @@ module HexaPDF
         end
       end
 
+      # Returns the outline level this item is one.
+      #
+      # The level of the items in the main outline dictionary, the root level, is 1.
+      #
+      # Here is an illustrated example of items contained in a document outline with their
+      # associated level:
+      #
+      #  Outline dictionary          0
+      #    Outline item 1            1
+      #    |- Sub item 1             2
+      #    |- Sub item 2             2
+      #       |- Sub sub item 1      3
+      #    |- Sub item 3             2
+      #    Outline item 2            1
+      def level
+        count = 0
+        temp = self
+        count += 1 while (temp = temp[:Parent])
+        count
+      end
+
+      # Returns the destination page if there is any.
+      #
+      # * If a destination is set, the associated page is returned.
+      # * If an action is set and it is a GoTo action, the associated page is returned.
+      # * Otherwise +nil+ is returned.
+      def destination_page
+        dest = self[:Dest]
+        dest = action[:D] if !dest && (action = self[:A]) && action[:S] == :GoTo
+        document.destinations.resolve(dest)&.page
+      end
+
       # Adds, as child to this item, a new outline item with the given title that performs the
       # provided action on clicking. Returns the newly added item.
       #
+      # Alternatively, it is possible to provide an already initialized outline item instead of the
+      # title. If so, the only other argument that is used is +position+. Existing fields /Prev,
+      # /Next, /First, /Last, /Parent and /Count are deleted from the given item and set
+      # appropriately.
+      #
       # If neither :destination nor :action is specified, the outline item has no associated action.
       # This is only meaningful if the new item will have children as it then acts just as a
       # container.
@@ -251,16 +293,30 @@ module HexaPDF
       #   end
       def add_item(title, destination: nil, action: nil, position: :last, open: true,
                    text_color: nil, flags: nil) # :yield: item
-        item = document.add({Parent: self}, type: :XXOutlineItem)
-        item.title(title)
-        if action
-          item.action(action)
+        if title.kind_of?(HexaPDF::Object) && title.type == :XXOutlineItem
+          item = title
+          item.delete(:Prev)
+          item.delete(:Next)
+          item.delete(:First)
+          item.delete(:Last)
+          if item[:Count] && item[:Count] >= 0
+            item[:Count] = 0
+          else
+            item.delete(:Count)
+          end
+          item[:Parent] = self
         else
-          item.destination(destination)
+          item = document.add({Parent: self}, type: :XXOutlineItem)
+          item.title(title)
+          if action
+            item.action(action)
+          else
+            item.destination(destination)
+          end
+          item.text_color(text_color) if text_color
+          item.flag(*flags) if flags
+          item[:Count] = 0 if open # Count=0 means open if items are later added
         end
-        item.text_color(text_color) if text_color
-        item.flag(*flags) if flags
-        item[:Count] = 0 if open # Count=0 means open if items are later added
 
         unless position == :last || position == :first || position.kind_of?(Integer)
           raise ArgumentError, "position must be :first, :last, or an integer"
@@ -311,18 +367,20 @@ module HexaPDF
       end
 
       # :call-seq:
-      #   item.each_item {|descendant_item| block }   -> item
-      #   item.each_item                              -> Enumerator
+      #   item.each_item {|descendant_item, level| block }   -> item
+      #   item.each_item                                     -> Enumerator
       #
       # Iterates over all descendant items of this one.
       #
-      # The items are yielded in-order, yielding first the item itself and then its descendants.
+      # The descendant items are yielded in-order, yielding first the item itself and then its
+      # descendants.
       def each_item(&block)
         return to_enum(__method__) unless block_given?
+        return self unless (item = self[:First])
 
-        item = self[:First]
+        level = self.level + 1
         while item
-          yield(item)
+          yield(item, level)
           item.each_item(&block)
           item = item[:Next]
         end
@@ -341,7 +399,7 @@ module HexaPDF
           node, dir = first ? [first, :Next] : [last, :Prev]
           node = node[dir] while node.key?(dir)
           self[dir == :Next ? :Last : :First] = node
-        elsif !first && !last && self[:Count] != 0
+        elsif !first && !last && self[:Count] && self[:Count] != 0
           yield('Outline item dictionary key /Count set but no descendants exist', true)
           delete(:Count)
         end

data/lib/hexapdf/type/page.rb

@@ -187,8 +187,8 @@ module HexaPDF
       end
 
       # :call-seq:
-      #   page.box(type = :media)              -> box
-      #   page.box(type = :media, rectangle)   -> rectangle
+      #   page.box(type = :crop)              -> box
+      #   page.box(type = :crop, rectangle)   -> rectangle
       #
       # If no +rectangle+ is given, returns the rectangle defining a certain kind of box for the
       # page. Otherwise sets the value for the given box type to +rectangle+ (an array with four
@@ -219,7 +219,7 @@ module HexaPDF
       #     author. The default is the crop box.
       #
       # See: PDF1.7 s14.11.2
-      def box(type = :media, rectangle = nil)
+      def box(type = :crop, rectangle = nil)
         if rectangle
           case type
           when :media, :crop, :bleed, :trim, :art
@@ -240,9 +240,10 @@ module HexaPDF
         end
       end
 
-      # Returns the orientation of the media box, either :portrait or :landscape.
-      def orientation
-        box = self[:MediaBox]
+      # Returns the orientation of the specified box (default is the crop box), either :portrait or
+      # :landscape.
+      def orientation(type = :crop)
+        box = self.box(type)
         rotation = self[:Rotate]
         if (box.height > box.width && (rotation == 0 || rotation == 180)) ||
             (box.height < box.width && (rotation == 90 || rotation == 270))
@@ -272,21 +273,28 @@ module HexaPDF
           delete(:Rotate)
           return if cw_angle == 0
 
-          matrix, llx, lly, urx, ury = \
-            case cw_angle
-            when 90
-              [HexaPDF::Content::TransformationMatrix.new(0, -1, 1, 0),
-               box.right, box.bottom, box.left, box.top]
-            when 180
-              [HexaPDF::Content::TransformationMatrix.new(-1, 0, 0, -1),
-               box.right, box.top, box.left, box.bottom]
-            when 270
-              [HexaPDF::Content::TransformationMatrix.new(0, 1, -1, 0),
-               box.left, box.top, box.right, box.bottom]
-            end
-          [:MediaBox, :CropBox, :BleedBox, :TrimBox, :ArtBox].each do |box|
-            next unless key?(box)
-            self[box].value = matrix.evaluate(llx, lly).concat(matrix.evaluate(urx, ury))
+          matrix = case cw_angle
+                   when 90
+                     HexaPDF::Content::TransformationMatrix.new(0, -1, 1, 0)
+                   when 180
+                     HexaPDF::Content::TransformationMatrix.new(-1, 0, 0, -1)
+                   when 270
+                     HexaPDF::Content::TransformationMatrix.new(0, 1, -1, 0)
+                   end
+
+          [:MediaBox, :CropBox, :BleedBox, :TrimBox, :ArtBox].each do |box_name|
+            next unless key?(box_name)
+            box = self[box_name]
+            llx, lly, urx, ury = \
+              case cw_angle
+              when 90
+                [box.right, box.bottom, box.left, box.top]
+              when 180
+                [box.right, box.top, box.left, box.bottom]
+              when 270
+                [box.left, box.top, box.right, box.bottom]
+              end
+            self[box_name].value = matrix.evaluate(llx, lly).concat(matrix.evaluate(urx, ury))
           end
 
           before_contents = document.add({}, stream: " q #{matrix.to_a.join(' ')} cm ")
@@ -373,20 +381,33 @@ module HexaPDF
 
       # Returns the requested type of canvas for the page.
       #
-      # The canvas object is cached once it is created so that its graphics state is correctly
-      # retained without the need for parsing its contents.
-      #
-      # If the media box of the page doesn't have its origin at (0, 0), the canvas origin is
-      # translated into the bottom left corner so that this detail doesn't matter when using the
-      # canvas. This means that the canvas' origin is always at the bottom left corner of the media
-      # box.
+      # There are potentially three different canvas objects, one for each of the types :underlay,
+      # :page, and :overlay. The canvas objects are cached once they are created so that their
+      # graphics states are correctly retained without the need for parsing the contents. This also
+      # means that on subsequent invocations the graphic states of the canvases might already be
+      # changed.
       #
       # type::
       #    Can either be
       #    * :page for getting the canvas for the page itself (only valid for initially empty pages)
       #    * :overlay for getting the canvas for drawing over the page contents
       #    * :underlay for getting the canvas for drawing unter the page contents
-      def canvas(type: :page)
+      #
+      # translate_origin::
+      #    Specifies whether the origin should automatically be translated into the lower-left
+      #    corner of the crop box.
+      #
+      #    Note that this argument is only used for the first invocation for every canvas type. So
+      #    if a canvas was initially requested with this argument set to false and then with true,
+      #    it won't have any effect as the cached canvas is returned.
+      #
+      #    To check whether the origin has been translated or not, use
+      #
+      #      canvas.graphics_state.ctm.evaluate(0, 0)
+      #
+      #    and check whether the result is [0, 0]. If it is, then the origin has not been
+      #    translated.
+      def canvas(type: :page, translate_origin: true)
         unless [:page, :overlay, :underlay].include?(type)
           raise ArgumentError, "Invalid value for 'type', expected: :page, :underlay or :overlay"
         end
@@ -399,9 +420,10 @@ module HexaPDF
 
         create_canvas = lambda do
           Content::Canvas.new(self).tap do |canvas|
-            media_box = box(:media)
-            if media_box.left != 0 || media_box.bottom != 0
-              canvas.translate(media_box.left, media_box.bottom)
+            next unless translate_origin
+            crop_box = box(:crop)
+            if crop_box.left != 0 || crop_box.bottom != 0
+              canvas.translate(crop_box.left, crop_box.bottom)
             end
           end
         end
@@ -505,9 +527,8 @@ module HexaPDF
 
         canvas = self.canvas(type: :overlay)
         canvas.save_graphics_state
-        media_box = box(:media)
-        if media_box.left != 0 || media_box.bottom != 0
-          canvas.translate(-media_box.left, -media_box.bottom) # revert initial translation of origin
+        if (pos = canvas.graphics_state.ctm.evaluate(0, 0)) != [0, 0]
+          canvas.translate(-pos[0], -pos[1])
         end
 
         to_delete = []

data/lib/hexapdf/type/resources.rb

@@ -217,24 +217,20 @@ module HexaPDF
       # Ensures that a valid procedure set is available.
       def perform_validation
         super
-        val = self[:ProcSet]
-        if val
-          if val.kind_of?(Symbol)
-            yield("Procedure set is a single value instead of an Array", true)
-            val = value[:ProcSet] = [val]
-          end
-          val.reject! do |name|
-            case name
-            when :PDF, :Text, :ImageB, :ImageC, :ImageI
-              false
-            else
-              yield("Invalid page procedure set name /#{name}", true)
-              true
-            end
+        return unless (val = self[:ProcSet])
+
+        if val.kind_of?(Symbol)
+          yield("Procedure set is a single value instead of an Array", true)
+          val = value[:ProcSet] = [val]
+        end
+        val.reject! do |name|
+          case name
+          when :PDF, :Text, :ImageB, :ImageC, :ImageI
+            false
+          else
+            yield("Invalid page procedure set name /#{name}", true)
+            true
           end
-        else
-          yield("No procedure set specified", true)
-          self[:ProcSet] = [:PDF, :Text, :ImageB, :ImageC, :ImageI]
         end
       end
 

data/lib/hexapdf/type/signature/adbe_pkcs7_detached.rb

@@ -104,8 +104,22 @@ module HexaPDF
             result.log(:error, "Certificate key usage is missing 'Digital Signature'")
           end
 
-          if @pkcs7.verify(certificate_chain, store, signature_dict.signed_data,
-                           OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
+          if signature_dict.signature_type == 'ETSI.RFC3161'
+            # Getting the needed values is not directly supported by Ruby OpenSSL
+            p7 = OpenSSL::ASN1.decode(signature_dict.contents.sub(/\x00*\z/, ''))
+            signed_data = p7.value[1].value[0]
+            content_info = signed_data.value[2]
+            content = OpenSSL::ASN1.decode(content_info.value[1].value[0].value)
+            digest_algorithm = content.value[2].value[0].value[0].value
+            original_hash = content.value[2].value[1].value
+            recomputed_hash = OpenSSL::Digest.digest(digest_algorithm, signature_dict.signed_data)
+            hash_valid = (original_hash == recomputed_hash)
+          else
+            data = signature_dict.signed_data
+            hash_valid = true # hash will be checked by @pkcs7.verify
+          end
+          if hash_valid && @pkcs7.verify(certificate_chain, store, data,
+                                         OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
             result.log(:info, "Signature valid")
           else
             result.log(:error, "Signature verification failed")

data/lib/hexapdf/type/signature.rb

@@ -230,6 +230,16 @@ module HexaPDF
         signature_handler.verify(store, allow_self_signed: allow_self_signed)
       end
 
+      private
+
+      def perform_validation #:nodoc:
+        if (self[:SubFilter] == :'ETSI.CAdES.detached' || self[:SubFilter] == :'ETSI.RFC3161') &&
+            document.version < '2.0'
+          yield("Signature handler needs at least PDF version 2.0", true)
+          document.version = '2.0'
+        end
+      end
+
     end
 
   end

data/lib/hexapdf/version.rb

@@ -37,6 +37,6 @@
 module HexaPDF
 
   # The version of HexaPDF.
-  VERSION = '0.26.2'
+  VERSION = '0.27.0'
 
 end

data/lib/hexapdf/writer.rb

@@ -110,6 +110,9 @@ module HexaPDF
 
       revision = Revision.new(@document.revisions.current.trailer)
       @document.trailer.info[:Producer] = "HexaPDF version #{HexaPDF::VERSION}"
+      if parser.file_header_version < @document.version
+        @document.catalog[:Version] = @document.version.to_sym
+      end
       @document.revisions.each do |rev|
         rev.each_modified_object {|obj| revision.send(:add_without_check, obj) }
       end

data/test/hexapdf/document/test_destinations.rb

@@ -29,6 +29,12 @@ describe HexaPDF::Document::Destinations::Destination do
     end
   end
 
+  it "accepts an array or a dictionary containing a /D entry as value" do
+    assert(destination([5, :Fit]).valid?)
+    assert(destination({D: [5, :Fit]}).valid?)
+    assert(destination(HexaPDF::Dictionary.new({D: [5, :Fit]})).valid?)
+  end
+
   it "can be asked whether the referenced page is in a remote document" do
     assert(destination([5, :Fit]).remote?)
     refute(destination([HexaPDF::Dictionary.new({}), :Fit]).remote?)
@@ -42,6 +48,10 @@ describe HexaPDF::Document::Destinations::Destination do
     assert(destination([5, :Fit]).valid?)
   end
 
+  it "returns the destination array" do
+    assert_equal([5, :Fit], destination([5, :Fit]).value)
+  end
+
   describe "type :xyz" do
     before do
       @dest = destination([:page, :XYZ, :left, :top, :zoom])
@@ -396,6 +406,37 @@ describe HexaPDF::Document::Destinations do
     refute(@doc.destinations['abc'])
   end
 
+  describe "resolve" do
+    it "resolves the named destination" do
+      @doc.catalog.names.destinations.add_entry("arr", [@page, :Fit])
+      @doc.catalog.names.destinations.add_entry("dict", {D: [@page, :Fit]})
+      assert_equal([@page, :Fit], @doc.destinations.resolve("arr").value)
+      assert_equal([@page, :Fit], @doc.destinations.resolve("dict").value)
+    end
+
+    it "returns nil if the named destination is not found" do
+      assert_nil(@doc.destinations.resolve("arr"))
+    end
+
+    it "resolves the old-style named destination" do
+      @doc.catalog[:Dests] = {arr: [@page, :Fit]}
+      assert_equal([@page, :Fit], @doc.destinations.resolve(:arr).value)
+    end
+
+    it "returns nil if the old-style named destination is not found" do
+      assert_nil(@doc.destinations.resolve(:arr))
+    end
+
+    it "uses a PDFArray or array argument directly" do
+      assert_equal([@page, :Fit], @doc.destinations.resolve([@page, :Fit]).value)
+      assert_equal([@page, :Fit], @doc.destinations.resolve(HexaPDF::PDFArray.new([@page, :Fit])).value)
+    end
+
+    it "returns nil if the resolved destination is not valid" do
+      assert_nil(@doc.destinations.resolve([@page, :Fitd]))
+    end
+  end
+
   describe "each" do
     before do
       3.times {|i| @doc.destinations.add("abc#{i}", [:page, :Fit]) }

data/test/hexapdf/document/test_signatures.rb

@@ -19,17 +19,37 @@ describe HexaPDF::Document::Signatures do
     )
   end
 
-  describe "DefaultHandler" do
-    it "returns the filter name" do
-      assert_equal(:'Adobe.PPKLite', @handler.filter_name)
-    end
-
-    it "returns the sub filter algorithm name" do
-      assert_equal(:'adbe.pkcs7.detached', @handler.sub_filter_name)
+  it "allows embedding an external signature value" do
+    doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+    io = StringIO.new(''.b)
+    doc.signatures.add(io, @handler)
+    doc = HexaPDF::Document.new(io: io)
+    io = StringIO.new(''.b)
+
+    byte_range = nil
+    @handler.signature_size = 5000
+    @handler.external_signing = proc {|_, br| byte_range = br; "" }
+    doc.signatures.add(io, @handler)
+
+    io.pos = byte_range[0]
+    data = io.read(byte_range[1])
+    io.pos = byte_range[2]
+    data << io.read(byte_range[3])
+    contents = OpenSSL::PKCS7.sign(@handler.certificate, @handler.key, data, @handler.certificate_chain,
+                                   OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+    HexaPDF::Document::Signatures.embed_signature(io, contents)
+    doc = HexaPDF::Document.new(io: io)
+    assert_equal(2, doc.signatures.each.count)
+    doc.signatures.each do |signature|
+      assert(signature.verify(allow_self_signed: true).messages.find {|m| m.content == 'Signature valid' })
     end
+  end
 
+  describe "DefaultHandler" do
     it "returns the size of serialized signature" do
       assert_equal(1310, @handler.signature_size)
+      @handler.signature_size = 100
+      assert_equal(100, @handler.signature_size)
     end
 
     it "allows setting the DocMDP permissions" do
@@ -56,16 +76,23 @@ describe HexaPDF::Document::Signatures do
       assert_raises(ArgumentError) { @handler.doc_mdp_permissions = :other }
     end
 
-    it "can sign the data using PKCS7" do
-      data = "data"
-      store = OpenSSL::X509::Store.new
-      store.add_cert(CERTIFICATES.ca_certificate)
+    describe "sign" do
+      it "can sign the data using PKCS7" do
+        data = StringIO.new("data")
+        store = OpenSSL::X509::Store.new
+        store.add_cert(CERTIFICATES.ca_certificate)
+
+        pkcs7 = OpenSSL::PKCS7.new(@handler.sign(data, [0, 4, 0, 0]))
+        assert(pkcs7.detached?)
+        assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                     pkcs7.certificates)
+        assert(pkcs7.verify([], store, data.string, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY))
+      end
 
-      pkcs7 = OpenSSL::PKCS7.new(@handler.sign(data))
-      assert(pkcs7.detached?)
-      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
-                   pkcs7.certificates)
-      assert(pkcs7.verify([], store, data, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY))
+      it "can use external signing" do
+        @handler.external_signing = proc { "hallo" }
+        assert_equal("hallo", @handler.sign(StringIO.new, [0, 0, 0, 0]))
+      end
     end
 
     describe "finalize_objects" do
@@ -80,6 +107,12 @@ describe HexaPDF::Document::Signatures do
         assert(@obj.empty?)
       end
 
+      it "adjust the /SubFilter if signature type is etsi" do
+        @handler.signature_type = :etsi
+        @handler.finalize_objects(@field, @obj)
+        assert_equal(:'ETSI.CAdES.detached', @obj[:SubFilter])
+      end
+
       it "sets the reason, location and contact info fields" do
         @handler.reason = 'Reason'
         @handler.location = 'Location'
@@ -111,6 +144,87 @@ describe HexaPDF::Document::Signatures do
     end
   end
 
+  describe "TimestampHandler" do
+    before do
+      @handler = HexaPDF::Document::Signatures::TimestampHandler.new
+    end
+
+    it "allows setting the attributes in the constructor" do
+      handler = HexaPDF::Document::Signatures::TimestampHandler.new(
+        tsa_url: "url", tsa_hash_algorithm: "MD5", tsa_policy_id: "5",
+        reason: "Reason", location: "Location", contact_info: "Contact",
+        signature_size: 1_000
+      )
+      assert_equal("url", handler.tsa_url)
+      assert_equal("MD5", handler.tsa_hash_algorithm)
+      assert_equal("5", handler.tsa_policy_id)
+      assert_equal("Reason", handler.reason)
+      assert_equal("Location", handler.location)
+      assert_equal("Contact", handler.contact_info)
+      assert_equal(1_000, handler.signature_size)
+    end
+
+    it "finalizes the signature field and signature objects" do
+      @field = @doc.wrap({})
+      @sig = @doc.wrap({})
+      @handler.reason = 'Reason'
+      @handler.location = 'Location'
+      @handler.contact_info = 'Contact'
+
+      @handler.finalize_objects(@field, @sig)
+      assert_equal('2.0', @doc.version)
+      assert_equal(:DocTimeStamp, @sig[:Type])
+      assert_equal(:'ETSI.RFC3161', @sig[:SubFilter])
+      assert_equal('Reason', @sig[:Reason])
+      assert_equal('Location', @sig[:Location])
+      assert_equal('Contact', @sig[:ContactInfo])
+    end
+
+    it "returns the size of serialized signature" do
+      @handler.tsa_url = "http://127.0.0.1:34567"
+      CERTIFICATES.start_tsa_server
+      assert_equal(1420, @handler.signature_size)
+    end
+
+    describe "sign" do
+      before do
+        @data = StringIO.new("data")
+        @range = [0, 4, 0, 0]
+        @handler.tsa_url = "http://127.0.0.1:34567"
+        CERTIFICATES.start_tsa_server
+      end
+
+      it "respects the set hash algorithm and policy id" do
+        @handler.tsa_hash_algorithm = 'SHA256'
+        @handler.tsa_policy_id = '1.2.3.4.2'
+        token = OpenSSL::ASN1.decode(@handler.sign(@data, @range))
+        content = OpenSSL::ASN1.decode(token.value[1].value[0].value[2].value[1].value[0].value)
+        policy_id = content.value[1].value
+        digest_algorithm = content.value[2].value[0].value[0].value
+        assert_equal('SHA256', digest_algorithm)
+        assert_equal("1.2.3.4.2", policy_id)
+      end
+
+      it "returns the serialized timestamp token" do
+        token = OpenSSL::PKCS7.new(@handler.sign(@data, @range))
+        assert_equal(CERTIFICATES.ca_certificate.subject, token.signers[0].issuer)
+        assert_equal(CERTIFICATES.timestamp_certificate.serial, token.signers[0].serial)
+      end
+
+      it "fails if the timestamp token could not be created" do
+        @handler.tsa_hash_algorithm = 'SHA1'
+        msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+        assert_match(/BAD_ALG/, msg.message)
+      end
+
+      it "fails if the timestamp server couldn't process the request" do
+        @handler.tsa_policy_id = '1.2.3.4.1'
+        msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+        assert_match(/Invalid TSA server response/, msg.message)
+      end
+    end
+  end
+
   it "iterates over all signature dictionaries" do
     assert_equal([], @doc.signatures.to_a)
     @sig1.field_value = :sig1
@@ -164,7 +278,7 @@ describe HexaPDF::Document::Signatures do
       sig = @doc.signatures.first
       assert_equal(:'Adobe.PPKLite', sig[:Filter])
       assert_equal(:'adbe.pkcs7.detached', sig[:SubFilter])
-      assert_equal([0, 968, 3590, 2517], sig[:ByteRange].value)
+      assert_equal([0, 996, 3618, 2501], sig[:ByteRange].value)
       assert_equal(:sig, sig[:key])
       assert_equal(:sig_field, @doc.acro_form.each_field.first[:key])
       assert(sig.key?(:Contents))
@@ -205,14 +319,14 @@ describe HexaPDF::Document::Signatures do
     it "handles different xref section types correctly when determing the offsets" do
       @doc.delete(7)
       sig = @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
-      assert_equal([0, 968, 3590, 2491], sig[:ByteRange].value)
+      assert_equal([0, 988, 3610, 2483], sig[:ByteRange].value)
     end
 
     it "works if the signature object is the last object of the xref section" do
       field = @doc.acro_form(create: true).create_signature_field('Signature2')
       field.create_widget(@doc.pages[0], Rect: [0, 0, 0, 0])
       sig = @doc.signatures.add(@io, @handler, signature: field, write_options: {update_fields: false})
-      assert_equal([0, 3063, 5685, 400], sig[:ByteRange].value)
+      assert_equal([0, 3095, 5717, 380], sig[:ByteRange].value)
     end
 
     it "allows writing to a file in addition to writing to an IO" do
@@ -228,5 +342,11 @@ describe HexaPDF::Document::Signatures do
       signed_doc = HexaPDF::Document.new(io: @io)
       assert(signed_doc.signatures.first.verify)
     end
+
+    it "fails if the reserved signature space is too small" do
+      def @handler.signature_size; 200; end
+      msg = assert_raises(HexaPDF::Error) { @doc.signatures.add(@io, @handler) }
+      assert_match(/space.*too small.*200 vs/, msg.message)
+    end
   end
 end