RubyGems - hexapdf - Versions diffs - 0.27.0 → 0.29.0 - Mend

hexapdf 0.27.0 → 0.29.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +100 -11
data/examples/019-acro_form.rb +14 -3
data/examples/023-images.rb +30 -0
data/examples/024-digital-signatures.rb +23 -0
data/lib/hexapdf/cli/info.rb +5 -1
data/lib/hexapdf/cli/inspect.rb +2 -2
data/lib/hexapdf/cli/split.rb +2 -2
data/lib/hexapdf/configuration.rb +13 -14
data/lib/hexapdf/content/canvas.rb +8 -3
data/lib/hexapdf/dictionary.rb +1 -5
data/lib/hexapdf/dictionary_fields.rb +6 -2
data/lib/hexapdf/digital_signature/cms_handler.rb +137 -0
data/lib/hexapdf/digital_signature/handler.rb +138 -0
data/lib/hexapdf/digital_signature/pkcs1_handler.rb +96 -0
data/lib/hexapdf/{type → digital_signature}/signature.rb +3 -8
data/lib/hexapdf/digital_signature/signatures.rb +210 -0
data/lib/hexapdf/digital_signature/signing/default_handler.rb +317 -0
data/lib/hexapdf/digital_signature/signing/signed_data_creator.rb +308 -0
data/lib/hexapdf/digital_signature/signing/timestamp_handler.rb +148 -0
data/lib/hexapdf/digital_signature/signing.rb +101 -0
data/lib/hexapdf/{type/signature → digital_signature}/verification_result.rb +37 -41
data/lib/hexapdf/digital_signature.rb +56 -0
data/lib/hexapdf/document.rb +27 -24
data/lib/hexapdf/encryption/standard_security_handler.rb +2 -1
data/lib/hexapdf/filter/ascii85_decode.rb +1 -1
data/lib/hexapdf/importer.rb +32 -27
data/lib/hexapdf/layout/list_box.rb +1 -5
data/lib/hexapdf/object.rb +5 -0
data/lib/hexapdf/parser.rb +13 -0
data/lib/hexapdf/revision.rb +15 -12
data/lib/hexapdf/revisions.rb +4 -0
data/lib/hexapdf/tokenizer.rb +14 -8
data/lib/hexapdf/type/acro_form/appearance_generator.rb +174 -128
data/lib/hexapdf/type/acro_form/button_field.rb +5 -3
data/lib/hexapdf/type/acro_form/choice_field.rb +2 -0
data/lib/hexapdf/type/acro_form/field.rb +11 -5
data/lib/hexapdf/type/acro_form/form.rb +33 -7
data/lib/hexapdf/type/acro_form/signature_field.rb +2 -0
data/lib/hexapdf/type/acro_form/text_field.rb +12 -2
data/lib/hexapdf/type/annotations/widget.rb +3 -0
data/lib/hexapdf/type/font_true_type.rb +14 -0
data/lib/hexapdf/type/object_stream.rb +2 -2
data/lib/hexapdf/type/outline.rb +1 -1
data/lib/hexapdf/type/page.rb +56 -46
data/lib/hexapdf/type.rb +0 -1
data/lib/hexapdf/version.rb +1 -1
data/lib/hexapdf/writer.rb +2 -3
data/test/hexapdf/content/test_canvas.rb +5 -0
data/test/hexapdf/{type/signature → digital_signature}/common.rb +34 -4
data/test/hexapdf/digital_signature/signing/test_default_handler.rb +162 -0
data/test/hexapdf/digital_signature/signing/test_signed_data_creator.rb +225 -0
data/test/hexapdf/digital_signature/signing/test_timestamp_handler.rb +88 -0
data/test/hexapdf/{type/signature/test_adbe_pkcs7_detached.rb → digital_signature/test_cms_handler.rb} +7 -7
data/test/hexapdf/{type/signature → digital_signature}/test_handler.rb +4 -4
data/test/hexapdf/{type/signature/test_adbe_x509_rsa_sha1.rb → digital_signature/test_pkcs1_handler.rb} +3 -3
data/test/hexapdf/{type → digital_signature}/test_signature.rb +7 -7
data/test/hexapdf/digital_signature/test_signatures.rb +137 -0
data/test/hexapdf/digital_signature/test_signing.rb +53 -0
data/test/hexapdf/{type/signature → digital_signature}/test_verification_result.rb +7 -7
data/test/hexapdf/document/test_pages.rb +2 -2
data/test/hexapdf/encryption/test_aes.rb +1 -1
data/test/hexapdf/filter/test_predictor.rb +0 -1
data/test/hexapdf/layout/test_box.rb +2 -1
data/test/hexapdf/layout/test_column_box.rb +1 -1
data/test/hexapdf/layout/test_list_box.rb +1 -1
data/test/hexapdf/test_dictionary_fields.rb +2 -1
data/test/hexapdf/test_document.rb +3 -9
data/test/hexapdf/test_importer.rb +13 -6
data/test/hexapdf/test_parser.rb +17 -0
data/test/hexapdf/test_revision.rb +15 -14
data/test/hexapdf/test_revisions.rb +43 -0
data/test/hexapdf/test_stream.rb +1 -1
data/test/hexapdf/test_tokenizer.rb +3 -4
data/test/hexapdf/test_writer.rb +3 -3
data/test/hexapdf/type/acro_form/test_appearance_generator.rb +135 -56
data/test/hexapdf/type/acro_form/test_button_field.rb +6 -1
data/test/hexapdf/type/acro_form/test_choice_field.rb +4 -0
data/test/hexapdf/type/acro_form/test_field.rb +4 -4
data/test/hexapdf/type/acro_form/test_form.rb +18 -0
data/test/hexapdf/type/acro_form/test_signature_field.rb +4 -0
data/test/hexapdf/type/acro_form/test_text_field.rb +13 -0
data/test/hexapdf/type/test_font_true_type.rb +20 -0
data/test/hexapdf/type/test_object_stream.rb +2 -1
data/test/hexapdf/type/test_outline.rb +3 -0
data/test/hexapdf/type/test_page.rb +67 -30
data/test/hexapdf/type/test_page_tree_node.rb +4 -2
metadata +69 -16
data/lib/hexapdf/document/signatures.rb +0 -546
data/lib/hexapdf/type/signature/adbe_pkcs7_detached.rb +0 -135
data/lib/hexapdf/type/signature/adbe_x509_rsa_sha1.rb +0 -95
data/lib/hexapdf/type/signature/handler.rb +0 -140
data/test/hexapdf/document/test_signatures.rb +0 -352

data/test/hexapdf/digital_signature/signing/test_default_handler.rb ADDED Viewed

@@ -0,0 +1,162 @@
+# -*- encoding: utf-8 -*-
+require 'test_helper'
+require 'hexapdf/document'
+require_relative '../common'
+describe HexaPDF::DigitalSignature::Signing::DefaultHandler do
+  before do
+    @doc = HexaPDF::Document.new
+    @handler = HexaPDF::DigitalSignature::Signing::DefaultHandler.new(
+      certificate: CERTIFICATES.signer_certificate,
+      key: CERTIFICATES.signer_key,
+      certificate_chain: [CERTIFICATES.ca_certificate]
+    )
+  end
+  it "defaults to standard CMS signatures" do
+    assert_equal(:cms, @handler.signature_type)
+  end
+  it "returns the size of serialized signature" do
+    assert(@handler.signature_size > 1000)
+    @handler.signature_size = 100
+    assert_equal(100, @handler.signature_size)
+  end
+  it "allows setting the DocMDP permissions" do
+    assert_nil(@handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = :no_changes
+    assert_equal(1, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = 1
+    assert_equal(1, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = :form_filling
+    assert_equal(2, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = 2
+    assert_equal(2, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = :form_filling_and_annotations
+    assert_equal(3, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = 3
+    assert_equal(3, @handler.doc_mdp_permissions)
+    @handler.doc_mdp_permissions = nil
+    assert_nil(@handler.doc_mdp_permissions)
+    assert_raises(ArgumentError) { @handler.doc_mdp_permissions = :other }
+  end
+  describe "sign" do
+    it "can sign the data using the provided certificate and key" do
+      data = StringIO.new("data")
+      signed_data = @handler.sign(data, [0, data.string.size, 0, 0])
+      pkcs7 = OpenSSL::PKCS7.new(signed_data)
+      assert(pkcs7.detached?)
+      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                   pkcs7.certificates)
+      store = OpenSSL::X509::Store.new
+      store.add_cert(CERTIFICATES.ca_certificate)
+      assert(pkcs7.verify([], store, data.string, OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY))
+    end
+    it "can change the used digest algorithm" do
+      @handler.digest_algorithm = 'sha384'
+      asn1 = OpenSSL::ASN1.decode(@handler.sign(StringIO.new('data'), [0, 4, 0, 0]))
+      assert_equal('SHA384', asn1.value[1].value[0].value[1].value[0].value[0].value)
+    end
+    it "can embed a timestamp token" do
+      @handler.timestamp_handler = tsh = Object.new
+      tsh.define_singleton_method(:sign) {|_, _| OpenSSL::ASN1::OctetString.new("signed-tsh") }
+      signed = @handler.sign(StringIO.new('data'), [0, 4, 0, 0])
+      asn1 = OpenSSL::ASN1.decode(signed)
+      assert_equal('signed-tsh', asn1.value[1].value[0].value[4].value[0].
+                   value[6].value[0].value[1].value[0].value)
+    end
+    it "creates PAdES compatible signatures" do
+      @handler.signature_type = :pades
+      signed = @handler.sign(StringIO.new('data'), [0, 4, 0, 0])
+      asn1 = OpenSSL::ASN1.decode(signed)
+      # check by absence of signing-time signed attribute
+      refute(asn1.value[1].value[0].value[4].value[0].value[3].value.
+             find {|obj| obj.value[0].value == 'signingTime' })
+    end
+    it "can use external signing without certificate set" do
+      @handler.certificate = nil
+      @handler.external_signing = proc { "hallo" }
+      assert_equal("hallo", @handler.sign(StringIO.new, [0, 0, 0, 0]))
+    end
+    it "can use external signing with certificate set but not the key" do
+      @handler.key = nil
+      @handler.external_signing = proc do |algorithm, _hash|
+        assert_equal('sha256', algorithm)
+        "hallo"
+      end
+      result = @handler.sign(StringIO.new, [0, 0, 0, 0])
+      asn1 = OpenSSL::ASN1.decode(result)
+      assert_equal("hallo", asn1.value[1].value[0].value[4].value[0].value[5].value)
+    end
+  end
+  describe "finalize_objects" do
+    before do
+      @field = @doc.wrap({})
+      @obj = @doc.wrap({})
+    end
+    it "only sets the mandatory values if no concrete finalization tasks need to be done" do
+      @handler.finalize_objects(@field, @obj)
+      assert(@field.empty?)
+      assert_equal(:'Adobe.PPKLite', @obj[:Filter])
+      assert_equal(:'adbe.pkcs7.detached', @obj[:SubFilter])
+      assert_kind_of(Time, @obj[:M])
+    end
+    it "adjust the /SubFilter if signature type is pades" do
+      @handler.signature_type = :pades
+      @handler.finalize_objects(@field, @obj)
+      assert_equal(:'ETSI.CAdES.detached', @obj[:SubFilter])
+    end
+    it "sets the reason, location and contact info fields" do
+      @handler.reason = 'Reason'
+      @handler.location = 'Location'
+      @handler.contact_info = 'Contact'
+      @handler.finalize_objects(@field, @obj)
+      assert(@field.empty?)
+      assert_equal(['Reason', 'Location', 'Contact'], @obj.value.values_at(:Reason, :Location, :ContactInfo))
+    end
+    it "fills the build properties dictionary with appropriate application information" do
+      @handler.finalize_objects(@field, @obj)
+      assert_equal(:HexaPDF, @obj[:Prop_Build][:App][:Name])
+      assert_equal(HexaPDF::VERSION, @obj[:Prop_Build][:App][:REx])
+    end
+    it "applies the specified DocMDP permissions" do
+      @handler.doc_mdp_permissions = :no_changes
+      @handler.finalize_objects(@field, @obj)
+      ref = @obj[:Reference][0]
+      assert_equal(:DocMDP, ref[:TransformMethod])
+      assert_equal(:SHA256, ref[:DigestMethod])
+      assert_equal(1, ref[:TransformParams][:P])
+      assert_equal(:'1.2', ref[:TransformParams][:V])
+      assert_same(@obj, @doc.catalog[:Perms][:DocMDP])
+    end
+    it "fails if DocMDP should be set but there is already a signature" do
+      @handler.doc_mdp_permissions = :no_changes
+      2.times do
+        field = @doc.acro_form(create: true).create_signature_field('test')
+        field.field_value = :something
+      end
+      assert_raises(HexaPDF::Error) { @handler.finalize_objects(@field, @obj) }
+    end
+  end
+end

data/test/hexapdf/digital_signature/signing/test_signed_data_creator.rb ADDED Viewed

@@ -0,0 +1,225 @@
+# -*- encoding: utf-8 -*-
+require 'test_helper'
+require 'hexapdf/document'
+require_relative '../common'
+describe HexaPDF::DigitalSignature::Signing::SignedDataCreator do
+  before do
+    @klass = HexaPDF::DigitalSignature::Signing::SignedDataCreator
+    @signed_data = @klass.new
+    @signed_data.certificate = CERTIFICATES.signer_certificate
+    @signed_data.key = CERTIFICATES.signer_key
+    @signed_data.certificates = [CERTIFICATES.ca_certificate]
+  end
+  it "allows setting the attributes" do
+    obj = @klass.new
+    obj.certificate = :cert
+    obj.key = :key
+    obj.certificates = :certs
+    obj.digest_algorithm = 'sha512'
+    obj.timestamp_handler = :tsh
+    assert_equal(:cert, obj.certificate)
+    assert_equal(:key, obj.key)
+    assert_equal(:certs, obj.certificates)
+    assert_equal('sha512', obj.digest_algorithm)
+    assert_equal(:tsh, obj.timestamp_handler)
+  end
+  it "doesn't allow setting attributes to nil using ::create" do
+    asn1 = @klass.create("data",
+                         certificate: CERTIFICATES.signer_certificate,
+                         key: CERTIFICATES.signer_key,
+                         digest_algorithm: nil)
+    assert_equal('2.16.840.1.101.3.4.2.1', asn1.value[1].value[1].value[0].value[0].value)
+  end
+  describe "content info structure" do
+    it "sets the correct content type value for the outer container" do
+      asn1 = @signed_data.create("data")
+      assert_equal('1.2.840.113549.1.7.2', asn1.value[0].value)
+    end
+    it "has the signed data structure marked as explicit" do
+      asn1 = @signed_data.create("data")
+      signed_data = asn1.value[1]
+      assert_equal(0, signed_data.tag)
+      assert_equal(:EXPLICIT, signed_data.tagging)
+      assert_equal(:CONTEXT_SPECIFIC, signed_data.tag_class)
+    end
+  end
+  describe "signed data structure" do
+    before do
+      @structure = @signed_data.create("data").value[1]
+    end
+    it "sets the correct version" do
+      assert_equal(1, @structure.value[0].value)
+    end
+    it "contains a reference to the used digest algorithm" do
+      assert_equal('2.16.840.1.101.3.4.2.1', @structure.value[1].value[0].value[0].value)
+      assert_nil(@structure.value[1].value[0].value[1].value)
+    end
+    it "contains an empty encapsulated content structure" do
+      assert_equal(1, @structure.value[2].value.size)
+      assert_equal('1.2.840.113549.1.7.1', @structure.value[2].value[0].value)
+    end
+    it "contains the assigned certificates" do
+      assert_equal(2, @structure.value[3].value.size)
+      assert_equal(0, @structure.value[3].tag)
+      assert_equal(:IMPLICIT, @structure.value[3].tagging)
+      assert_equal(:CONTEXT_SPECIFIC, @structure.value[3].tag_class)
+      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                   @structure.value[3].value)
+    end
+    it "contains a single signer info structure" do
+      assert_equal(1, @structure.value[4].value.size)
+    end
+  end
+  describe "signer info" do
+    before do
+      @structure = @signed_data.create("data").value[1].value[4].value[0]
+    end
+    it "has the expected number of entries" do
+      assert_equal(6, @structure.value.size)
+    end
+    it "sets the correct version" do
+      assert_equal(1, @structure.value[0].value)
+    end
+    it "uses issuer and serial for the signer identifer" do
+      assert_equal(CERTIFICATES.signer_certificate.issuer, @structure.value[1].value[0])
+      assert_equal(CERTIFICATES.signer_certificate.serial, @structure.value[1].value[1].value)
+    end
+    it "contains a reference to the used digest algorithm" do
+      assert_equal('2.16.840.1.101.3.4.2.1', @structure.value[2].value[0].value)
+      assert_nil(@structure.value[2].value[1].value)
+    end
+    describe "signed attributes" do
+      it "uses the correct tagging for the attributes" do
+        assert_equal(0, @structure.value[3].tag)
+        assert_equal(:IMPLICIT, @structure.value[3].tagging)
+        assert_equal(:CONTEXT_SPECIFIC, @structure.value[3].tag_class)
+      end
+      it "contains the content type identifier" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.3' }
+        assert_equal('1.2.840.113549.1.7.1', attr.value[1].value[0].value)
+      end
+      it "contains the message digest attribute" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.4' }
+        assert_equal(OpenSSL::Digest.digest('SHA256', 'data'), attr.value[1].value[0].value)
+      end
+      it "contains the signing certificate attribute" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.16.2.47' }
+        signing_cert = attr.value[1].value[0]
+        assert_equal(1, signing_cert.value.size)
+        assert_equal(1, signing_cert.value[0].value.size)
+        assert_equal(2, signing_cert.value[0].value[0].value.size)
+        assert_equal(OpenSSL::Digest.digest('sha256', CERTIFICATES.signer_certificate.to_der),
+                     signing_cert.value[0].value[0].value[0].value)
+        assert_equal(2, signing_cert.value[0].value[0].value[1].value.size)
+        assert_equal(1, signing_cert.value[0].value[0].value[1].value[0].value.size)
+        assert_equal(1, signing_cert.value[0].value[0].value[1].value[0].value[0].value.size)
+        assert_equal(4, signing_cert.value[0].value[0].value[1].value[0].value[0].tag)
+        assert_equal(:IMPLICIT, signing_cert.value[0].value[0].value[1].value[0].value[0].tagging)
+        assert_equal(:CONTEXT_SPECIFIC, signing_cert.value[0].value[0].value[1].value[0].value[0].tag_class)
+        assert_equal(CERTIFICATES.signer_certificate.issuer,
+                     signing_cert.value[0].value[0].value[1].value[0].value[0].value[0])
+        assert_equal(CERTIFICATES.signer_certificate.serial,
+                     signing_cert.value[0].value[0].value[1].value[1].value)
+      end
+    end
+    it "contains the signature algorithm reference" do
+      assert_equal('1.2.840.113549.1.1.1', @structure.value[4].value[0].value)
+      assert_nil(@structure.value[4].value[1].value)
+    end
+    it "contains the signature itself" do
+      to_sign = OpenSSL::ASN1::Set.new(@structure.value[3].value).to_der
+      assert_equal(CERTIFICATES.signer_key.sign('SHA256', to_sign), @structure.value[5].value)
+    end
+    it "fails if the signature algorithm is not supported" do
+      @signed_data.certificate = CERTIFICATES.dsa_signer_certificate
+      @signed_data.key = CERTIFICATES.dsa_signer_key
+      assert_raises(HexaPDF::Error) { @signed_data.create("data") }
+    end
+    it "can use a different digest algorithm" do
+      @signed_data.digest_algorithm = 'sha384'
+      structure = @signed_data.create("data").value[1].value[4].value[0]
+      to_sign = OpenSSL::ASN1::Set.new(structure.value[3].value).to_der
+      assert_equal('2.16.840.1.101.3.4.2.2', structure.value[2].value[0].value)
+      assert_equal(CERTIFICATES.signer_key.sign('SHA384', to_sign), structure.value[5].value)
+    end
+    it "allows delegating the signature to a provided signing block" do
+      @signed_data.key = nil
+      digest_algorithm = nil
+      calculated_hash = nil
+      structure = @signed_data.create("data") do |algorithm, hash|
+        digest_algorithm = algorithm
+        calculated_hash = hash
+        "signed"
+      end.value[1].value[4].value[0]
+      to_sign = OpenSSL::Digest.digest('SHA256', OpenSSL::ASN1::Set.new(structure.value[3].value).to_der)
+      assert_equal('sha256', digest_algorithm)
+      assert_equal(calculated_hash, to_sign)
+      assert_equal('signed', structure.value[5].value)
+    end
+    describe "unsigned attributes" do
+      it "allows adding a timestamp token" do
+        tsh = Object.new
+        io = nil
+        byte_range = nil
+        tsh.define_singleton_method(:sign) do |i_io, i_byte_range|
+          io = i_io
+          byte_range = i_byte_range
+          "timestamp"
+        end
+        @signed_data.timestamp_handler = tsh
+        structure = @signed_data.create("data").value[1].value[4].value[0]
+        assert_equal(structure.value[5].value, io.string)
+        assert_equal([0, io.string.size, 0, 0], byte_range)
+        attr = structure.value[6].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.16.2.14' }
+        assert_equal("timestamp", attr.value[1].value[0])
+      end
+    end
+  end
+  describe "cms signature" do
+    it "includes the current time as signing time" do
+      Time.stub(:now, Time.at(0)) do
+        asn1 = OpenSSL::ASN1.decode(@signed_data.create("data"))
+        attr = asn1.value[1].value[0].value[4].value[0].value[3].value.
+          find {|obj| obj.value[0].value == 'signingTime' }
+        assert_equal(Time.now.utc, attr.value[1].value[0].value)
+      end
+    end
+  end
+  describe "pades signature" do
+    it "doesn't include the signing-time attribute" do
+      signer_info = @signed_data.create("data", type: :pades).value[1].value[4].value[0]
+      refute(signer_info.value[3].value.find {|obj| obj.value[0].value == 'signingTime' })
+    end
+  end
+end

data/test/hexapdf/digital_signature/signing/test_timestamp_handler.rb ADDED Viewed

@@ -0,0 +1,88 @@
+# -*- encoding: utf-8 -*-
+require 'test_helper'
+require 'hexapdf/document'
+require_relative '../common'
+describe HexaPDF::DigitalSignature::Signing::TimestampHandler do
+  before do
+    @doc = HexaPDF::Document.new
+    @handler = HexaPDF::DigitalSignature::Signing::TimestampHandler.new
+  end
+  it "allows setting the attributes in the constructor" do
+    handler = @handler.class.new(
+      tsa_url: "url", tsa_hash_algorithm: "MD5", tsa_policy_id: "5",
+      reason: "Reason", location: "Location", contact_info: "Contact",
+      signature_size: 1_000
+    )
+    assert_equal("url", handler.tsa_url)
+    assert_equal("MD5", handler.tsa_hash_algorithm)
+    assert_equal("5", handler.tsa_policy_id)
+    assert_equal("Reason", handler.reason)
+    assert_equal("Location", handler.location)
+    assert_equal("Contact", handler.contact_info)
+    assert_equal(1_000, handler.signature_size)
+  end
+  it "finalizes the signature field and signature objects" do
+    @field = @doc.wrap({})
+    @sig = @doc.wrap({})
+    @handler.reason = 'Reason'
+    @handler.location = 'Location'
+    @handler.contact_info = 'Contact'
+    @handler.finalize_objects(@field, @sig)
+    assert_equal('2.0', @doc.version)
+    assert_equal(:DocTimeStamp, @sig[:Type])
+    assert_equal(:'Adobe.PPKLite', @sig[:Filter])
+    assert_equal(:'ETSI.RFC3161', @sig[:SubFilter])
+    assert_equal('Reason', @sig[:Reason])
+    assert_equal('Location', @sig[:Location])
+    assert_equal('Contact', @sig[:ContactInfo])
+  end
+  it "returns the size of serialized signature" do
+    @handler.tsa_url = "http://127.0.0.1:34567"
+    CERTIFICATES.start_tsa_server
+    assert(@handler.signature_size > 1000)
+  end
+  describe "sign" do
+    before do
+      @data = StringIO.new("data")
+      @range = [0, 4, 0, 0]
+      @handler.tsa_url = "http://127.0.0.1:34567"
+      CERTIFICATES.start_tsa_server
+    end
+    it "respects the set hash algorithm and policy id" do
+      @handler.tsa_hash_algorithm = 'SHA256'
+      @handler.tsa_policy_id = '1.2.3.4.2'
+      token = OpenSSL::ASN1.decode(@handler.sign(@data, @range))
+      content = OpenSSL::ASN1.decode(token.value[1].value[0].value[2].value[1].value[0].value)
+      policy_id = content.value[1].value
+      digest_algorithm = content.value[2].value[0].value[0].value
+      assert_equal('SHA256', digest_algorithm)
+      assert_equal("1.2.3.4.2", policy_id)
+    end
+    it "returns the serialized timestamp token" do
+      token = OpenSSL::PKCS7.new(@handler.sign(@data, @range))
+      assert_equal(CERTIFICATES.ca_certificate.subject, token.signers[0].issuer)
+      assert_equal(CERTIFICATES.timestamp_certificate.serial, token.signers[0].serial)
+    end
+    it "fails if the timestamp token could not be created" do
+      @handler.tsa_hash_algorithm = 'SHA1'
+      msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+      assert_match(/BAD_ALG/, msg.message)
+    end
+    it "fails if the timestamp server couldn't process the request" do
+      @handler.tsa_policy_id = '1.2.3.4.1'
+      msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+      assert_match(/Invalid TSA server response/, msg.message)
+    end
+  end
+end

data/test/hexapdf/{type/signature/test_adbe_pkcs7_detached.rb → digital_signature/test_cms_handler.rb} RENAMED Viewed

@@ -3,10 +3,10 @@
 require 'digest'
 require 'test_helper'
 require_relative 'common'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'ostruct'
-describe HexaPDF::Type::Signature::AdbePkcs7Detached do
+describe HexaPDF::DigitalSignature::CMSHandler do
   before do
     @data = 'Some data'
     @dict = OpenStruct.new
@@ -15,11 +15,11 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
                                  OpenSSL::PKCS7::DETACHED)
     @dict.contents = @pkcs7.to_der
     @dict.signed_data = @data
-    @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+    @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
   end
   it "returns the signer name" do
-    assert_equal("signer", @handler.signer_name)
+    assert_equal("RSA signer", @handler.signer_name)
   end
   it "returns the signing time" do
@@ -60,7 +60,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
       @pkcs7.add_signer(OpenSSL::PKCS7::SignerInfo.new(CERTIFICATES.signer_certificate,
                                                        CERTIFICATES.signer_key, 'SHA1'))
       @dict.contents = @pkcs7.to_der
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
       result = @handler.verify(@store)
       assert_equal(2, result.messages.size)
       assert_equal(:error, result.messages.first.type)
@@ -80,7 +80,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
                                    @data, [CERTIFICATES.ca_certificate],
                                    OpenSSL::PKCS7::DETACHED)
       @dict.contents = @pkcs7.to_der
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
       result = @handler.verify(@store)
       assert_equal(:error, result.messages.first.type)
       assert_match(/key usage is missing 'Digital Signature'/, result.messages.first.content)
@@ -110,7 +110,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
       res = fac.create_timestamp(CERTIFICATES.signer_key, CERTIFICATES.timestamp_certificate, req)
       @dict.contents = res.token.to_der
       @dict.signature_type = 'ETSI.RFC3161'
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
       result = @handler.verify(@store)
       assert_equal(:info, result.messages.last.type)

data/test/hexapdf/{type/signature → digital_signature}/test_handler.rb RENAMED Viewed

@@ -1,17 +1,17 @@
 # -*- encoding: utf-8 -*-
 require 'test_helper'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'hexapdf/document'
 require 'time'
 require 'ostruct'
-describe HexaPDF::Type::Signature::Handler do
+describe HexaPDF::DigitalSignature::Handler do
   before do
     @time = Time.parse("2021-11-14 7:00")
     @dict = {Name: "handler", M: @time}
-    @handler = HexaPDF::Type::Signature::Handler.new(@dict)
-    @result = HexaPDF::Type::Signature::VerificationResult.new
+    @handler = HexaPDF::DigitalSignature::Handler.new(@dict)
+    @result = HexaPDF::DigitalSignature::VerificationResult.new
   end
   it "returns the signer name" do

data/test/hexapdf/{type/signature/test_adbe_x509_rsa_sha1.rb → digital_signature/test_pkcs1_handler.rb} RENAMED Viewed

@@ -2,10 +2,10 @@
 require 'test_helper'
 require_relative 'common'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'ostruct'
-describe HexaPDF::Type::Signature::AdbeX509RsaSha1 do
+describe HexaPDF::DigitalSignature::PKCS1Handler do
   before do
     @data = 'Some data'
     @dict = OpenStruct.new
@@ -14,7 +14,7 @@ describe HexaPDF::Type::Signature::AdbeX509RsaSha1 do
     @dict.contents = OpenSSL::ASN1::OctetString.new(encoded_data).to_der
     @dict.Cert = [CERTIFICATES.signer_certificate.to_der]
     def @dict.key?(*); true; end
-    @handler = HexaPDF::Type::Signature::AdbeX509RsaSha1.new(@dict)
+    @handler = HexaPDF::DigitalSignature::PKCS1Handler.new(@dict)
   end
   it "returns the certificate chain" do

data/test/hexapdf/{type → digital_signature}/test_signature.rb RENAMED Viewed

@@ -2,11 +2,11 @@
 require 'test_helper'
 require 'hexapdf/document'
-require 'hexapdf/type/signature'
-require_relative 'signature/common'
+require 'hexapdf/digital_signature'
+require_relative 'common'
 require 'stringio'
-describe HexaPDF::Type::Signature::TransformParams do
+describe HexaPDF::DigitalSignature::Signature::TransformParams do
   before do
     @doc = HexaPDF::Document.new
     @params = @doc.add({Type: :TransformParams})
@@ -36,7 +36,7 @@ describe HexaPDF::Type::Signature::TransformParams do
   end
 end
-describe HexaPDF::Type::Signature::SignatureReference do
+describe HexaPDF::DigitalSignature::Signature::SignatureReference do
   before do
     @doc = HexaPDF::Document.new
     @sigref = @doc.add({Type: :SigRef})
@@ -52,7 +52,7 @@ describe HexaPDF::Type::Signature::SignatureReference do
   end
 end
-describe HexaPDF::Type::Signature do
+describe HexaPDF::DigitalSignature::Signature do
   before do
     @doc = HexaPDF::Document.new
     @sig = @doc.add({Type: :Sig, Filter: :'Adobe.PPKLite', SubFilter: :'ETSI.CAdES.detached'})
@@ -65,7 +65,7 @@ describe HexaPDF::Type::Signature do
   end
   it "returns the signer name" do
-    assert_equal('signer', @sig.signer_name)
+    assert_equal('RSA signer', @sig.signer_name)
   end
   it "returns the signing time" do
@@ -88,7 +88,7 @@ describe HexaPDF::Type::Signature do
   describe "signature_handler" do
     it "returns the signature handler" do
-      assert_kind_of(HexaPDF::Type::Signature::Handler, @sig.signature_handler)
+      assert_kind_of(HexaPDF::DigitalSignature::Handler, @sig.signature_handler)
     end
     it "fails if the required handler is not available" do