hexapdf 0.28.0 → 0.30.0

data/test/hexapdf/digital_signature/signing/test_signed_data_creator.rb

@@ -0,0 +1,225 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/document'
+require_relative '../common'
+
+describe HexaPDF::DigitalSignature::Signing::SignedDataCreator do
+  before do
+    @klass = HexaPDF::DigitalSignature::Signing::SignedDataCreator
+    @signed_data = @klass.new
+    @signed_data.certificate = CERTIFICATES.signer_certificate
+    @signed_data.key = CERTIFICATES.signer_key
+    @signed_data.certificates = [CERTIFICATES.ca_certificate]
+  end
+
+  it "allows setting the attributes" do
+    obj = @klass.new
+    obj.certificate = :cert
+    obj.key = :key
+    obj.certificates = :certs
+    obj.digest_algorithm = 'sha512'
+    obj.timestamp_handler = :tsh
+    assert_equal(:cert, obj.certificate)
+    assert_equal(:key, obj.key)
+    assert_equal(:certs, obj.certificates)
+    assert_equal('sha512', obj.digest_algorithm)
+    assert_equal(:tsh, obj.timestamp_handler)
+  end
+
+  it "doesn't allow setting attributes to nil using ::create" do
+    asn1 = @klass.create("data",
+                         certificate: CERTIFICATES.signer_certificate,
+                         key: CERTIFICATES.signer_key,
+                         digest_algorithm: nil)
+    assert_equal('2.16.840.1.101.3.4.2.1', asn1.value[1].value[1].value[0].value[0].value)
+  end
+
+  describe "content info structure" do
+    it "sets the correct content type value for the outer container" do
+      asn1 = @signed_data.create("data")
+      assert_equal('1.2.840.113549.1.7.2', asn1.value[0].value)
+    end
+
+    it "has the signed data structure marked as explicit" do
+      asn1 = @signed_data.create("data")
+      signed_data = asn1.value[1]
+      assert_equal(0, signed_data.tag)
+      assert_equal(:EXPLICIT, signed_data.tagging)
+      assert_equal(:CONTEXT_SPECIFIC, signed_data.tag_class)
+    end
+  end
+
+  describe "signed data structure" do
+    before do
+      @structure = @signed_data.create("data").value[1]
+    end
+
+    it "sets the correct version" do
+      assert_equal(1, @structure.value[0].value)
+    end
+
+    it "contains a reference to the used digest algorithm" do
+      assert_equal('2.16.840.1.101.3.4.2.1', @structure.value[1].value[0].value[0].value)
+      assert_nil(@structure.value[1].value[0].value[1].value)
+    end
+
+    it "contains an empty encapsulated content structure" do
+      assert_equal(1, @structure.value[2].value.size)
+      assert_equal('1.2.840.113549.1.7.1', @structure.value[2].value[0].value)
+    end
+
+    it "contains the assigned certificates" do
+      assert_equal(2, @structure.value[3].value.size)
+      assert_equal(0, @structure.value[3].tag)
+      assert_equal(:IMPLICIT, @structure.value[3].tagging)
+      assert_equal(:CONTEXT_SPECIFIC, @structure.value[3].tag_class)
+      assert_equal([CERTIFICATES.signer_certificate, CERTIFICATES.ca_certificate],
+                   @structure.value[3].value)
+    end
+
+    it "contains a single signer info structure" do
+      assert_equal(1, @structure.value[4].value.size)
+    end
+  end
+
+  describe "signer info" do
+    before do
+      @structure = @signed_data.create("data").value[1].value[4].value[0]
+    end
+
+    it "has the expected number of entries" do
+      assert_equal(6, @structure.value.size)
+    end
+
+    it "sets the correct version" do
+      assert_equal(1, @structure.value[0].value)
+    end
+
+    it "uses issuer and serial for the signer identifer" do
+      assert_equal(CERTIFICATES.signer_certificate.issuer, @structure.value[1].value[0])
+      assert_equal(CERTIFICATES.signer_certificate.serial, @structure.value[1].value[1].value)
+    end
+
+    it "contains a reference to the used digest algorithm" do
+      assert_equal('2.16.840.1.101.3.4.2.1', @structure.value[2].value[0].value)
+      assert_nil(@structure.value[2].value[1].value)
+    end
+
+    describe "signed attributes" do
+      it "uses the correct tagging for the attributes" do
+        assert_equal(0, @structure.value[3].tag)
+        assert_equal(:IMPLICIT, @structure.value[3].tagging)
+        assert_equal(:CONTEXT_SPECIFIC, @structure.value[3].tag_class)
+      end
+
+      it "contains the content type identifier" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.3' }
+        assert_equal('1.2.840.113549.1.7.1', attr.value[1].value[0].value)
+      end
+
+      it "contains the message digest attribute" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.4' }
+        assert_equal(OpenSSL::Digest.digest('SHA256', 'data'), attr.value[1].value[0].value)
+      end
+
+      it "contains the signing certificate attribute" do
+        attr = @structure.value[3].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.16.2.47' }
+        signing_cert = attr.value[1].value[0]
+        assert_equal(1, signing_cert.value.size)
+        assert_equal(1, signing_cert.value[0].value.size)
+        assert_equal(2, signing_cert.value[0].value[0].value.size)
+        assert_equal(OpenSSL::Digest.digest('sha256', CERTIFICATES.signer_certificate.to_der),
+                     signing_cert.value[0].value[0].value[0].value)
+        assert_equal(2, signing_cert.value[0].value[0].value[1].value.size)
+        assert_equal(1, signing_cert.value[0].value[0].value[1].value[0].value.size)
+        assert_equal(1, signing_cert.value[0].value[0].value[1].value[0].value[0].value.size)
+        assert_equal(4, signing_cert.value[0].value[0].value[1].value[0].value[0].tag)
+        assert_equal(:IMPLICIT, signing_cert.value[0].value[0].value[1].value[0].value[0].tagging)
+        assert_equal(:CONTEXT_SPECIFIC, signing_cert.value[0].value[0].value[1].value[0].value[0].tag_class)
+        assert_equal(CERTIFICATES.signer_certificate.issuer,
+                     signing_cert.value[0].value[0].value[1].value[0].value[0].value[0])
+        assert_equal(CERTIFICATES.signer_certificate.serial,
+                     signing_cert.value[0].value[0].value[1].value[1].value)
+      end
+    end
+
+    it "contains the signature algorithm reference" do
+      assert_equal('1.2.840.113549.1.1.1', @structure.value[4].value[0].value)
+      assert_nil(@structure.value[4].value[1].value)
+    end
+
+    it "contains the signature itself" do
+      to_sign = OpenSSL::ASN1::Set.new(@structure.value[3].value).to_der
+      assert_equal(CERTIFICATES.signer_key.sign('SHA256', to_sign), @structure.value[5].value)
+    end
+
+    it "fails if the signature algorithm is not supported" do
+      @signed_data.certificate = CERTIFICATES.dsa_signer_certificate
+      @signed_data.key = CERTIFICATES.dsa_signer_key
+      assert_raises(HexaPDF::Error) { @signed_data.create("data") }
+    end
+
+    it "can use a different digest algorithm" do
+      @signed_data.digest_algorithm = 'sha384'
+      structure = @signed_data.create("data").value[1].value[4].value[0]
+      to_sign = OpenSSL::ASN1::Set.new(structure.value[3].value).to_der
+      assert_equal('2.16.840.1.101.3.4.2.2', structure.value[2].value[0].value)
+      assert_equal(CERTIFICATES.signer_key.sign('SHA384', to_sign), structure.value[5].value)
+    end
+
+    it "allows delegating the signature to a provided signing block" do
+      @signed_data.key = nil
+      digest_algorithm = nil
+      calculated_hash = nil
+      structure = @signed_data.create("data") do |algorithm, hash|
+        digest_algorithm = algorithm
+        calculated_hash = hash
+        "signed"
+      end.value[1].value[4].value[0]
+      to_sign = OpenSSL::Digest.digest('SHA256', OpenSSL::ASN1::Set.new(structure.value[3].value).to_der)
+      assert_equal('sha256', digest_algorithm)
+      assert_equal(calculated_hash, to_sign)
+      assert_equal('signed', structure.value[5].value)
+    end
+
+    describe "unsigned attributes" do
+      it "allows adding a timestamp token" do
+        tsh = Object.new
+        io = nil
+        byte_range = nil
+        tsh.define_singleton_method(:sign) do |i_io, i_byte_range|
+          io = i_io
+          byte_range = i_byte_range
+          "timestamp"
+        end
+        @signed_data.timestamp_handler = tsh
+
+        structure = @signed_data.create("data").value[1].value[4].value[0]
+        assert_equal(structure.value[5].value, io.string)
+        assert_equal([0, io.string.size, 0, 0], byte_range)
+
+        attr = structure.value[6].value.find {|obj| obj.value[0].value == '1.2.840.113549.1.9.16.2.14' }
+        assert_equal("timestamp", attr.value[1].value[0])
+      end
+    end
+  end
+
+  describe "cms signature" do
+    it "includes the current time as signing time" do
+      Time.stub(:now, Time.at(0)) do
+        asn1 = OpenSSL::ASN1.decode(@signed_data.create("data"))
+        attr = asn1.value[1].value[0].value[4].value[0].value[3].value.
+          find {|obj| obj.value[0].value == 'signingTime' }
+        assert_equal(Time.now.utc, attr.value[1].value[0].value)
+      end
+    end
+  end
+
+  describe "pades signature" do
+    it "doesn't include the signing-time attribute" do
+      signer_info = @signed_data.create("data", type: :pades).value[1].value[4].value[0]
+      refute(signer_info.value[3].value.find {|obj| obj.value[0].value == 'signingTime' })
+    end
+  end
+end

data/test/hexapdf/digital_signature/signing/test_timestamp_handler.rb

@@ -0,0 +1,88 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/document'
+require_relative '../common'
+
+describe HexaPDF::DigitalSignature::Signing::TimestampHandler do
+  before do
+    @doc = HexaPDF::Document.new
+    @handler = HexaPDF::DigitalSignature::Signing::TimestampHandler.new
+  end
+
+  it "allows setting the attributes in the constructor" do
+    handler = @handler.class.new(
+      tsa_url: "url", tsa_hash_algorithm: "MD5", tsa_policy_id: "5",
+      reason: "Reason", location: "Location", contact_info: "Contact",
+      signature_size: 1_000
+    )
+    assert_equal("url", handler.tsa_url)
+    assert_equal("MD5", handler.tsa_hash_algorithm)
+    assert_equal("5", handler.tsa_policy_id)
+    assert_equal("Reason", handler.reason)
+    assert_equal("Location", handler.location)
+    assert_equal("Contact", handler.contact_info)
+    assert_equal(1_000, handler.signature_size)
+  end
+
+  it "finalizes the signature field and signature objects" do
+    @field = @doc.wrap({})
+    @sig = @doc.wrap({})
+    @handler.reason = 'Reason'
+    @handler.location = 'Location'
+    @handler.contact_info = 'Contact'
+
+    @handler.finalize_objects(@field, @sig)
+    assert_equal('2.0', @doc.version)
+    assert_equal(:DocTimeStamp, @sig[:Type])
+    assert_equal(:'Adobe.PPKLite', @sig[:Filter])
+    assert_equal(:'ETSI.RFC3161', @sig[:SubFilter])
+    assert_equal('Reason', @sig[:Reason])
+    assert_equal('Location', @sig[:Location])
+    assert_equal('Contact', @sig[:ContactInfo])
+  end
+
+  it "returns the size of serialized signature" do
+    @handler.tsa_url = "http://127.0.0.1:34567"
+    CERTIFICATES.start_tsa_server
+    assert(@handler.signature_size > 1000)
+  end
+
+  describe "sign" do
+    before do
+      @data = StringIO.new("data")
+      @range = [0, 4, 0, 0]
+      @handler.tsa_url = "http://127.0.0.1:34567"
+      CERTIFICATES.start_tsa_server
+    end
+
+    it "respects the set hash algorithm and policy id" do
+      @handler.tsa_hash_algorithm = 'SHA256'
+      @handler.tsa_policy_id = '1.2.3.4.2'
+      token = OpenSSL::ASN1.decode(@handler.sign(@data, @range))
+      content = OpenSSL::ASN1.decode(token.value[1].value[0].value[2].value[1].value[0].value)
+      policy_id = content.value[1].value
+      digest_algorithm = content.value[2].value[0].value[0].value
+      assert_equal('SHA256', digest_algorithm)
+      assert_equal("1.2.3.4.2", policy_id)
+    end
+
+    it "returns the serialized timestamp token" do
+      token = OpenSSL::PKCS7.new(@handler.sign(@data, @range))
+      assert_equal(CERTIFICATES.ca_certificate.subject, token.signers[0].issuer)
+      assert_equal(CERTIFICATES.timestamp_certificate.serial, token.signers[0].serial)
+    end
+
+    it "fails if the timestamp token could not be created" do
+      @handler.tsa_hash_algorithm = 'SHA1'
+      msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+      assert_match(/BAD_ALG/, msg.message)
+    end
+
+    it "fails if the timestamp server couldn't process the request" do
+      @handler.tsa_policy_id = '1.2.3.4.1'
+      msg = assert_raises(HexaPDF::Error) { @handler.sign(@data, @range) }
+      assert_match(/Invalid TSA server response/, msg.message)
+    end
+  end
+end

data/test/hexapdf/{type/signature/test_adbe_pkcs7_detached.rb → digital_signature/test_cms_handler.rb}

@@ -3,10 +3,10 @@
 require 'digest'
 require 'test_helper'
 require_relative 'common'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'ostruct'
 
-describe HexaPDF::Type::Signature::AdbePkcs7Detached do
+describe HexaPDF::DigitalSignature::CMSHandler do
   before do
     @data = 'Some data'
     @dict = OpenStruct.new
@@ -15,11 +15,11 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
                                  OpenSSL::PKCS7::DETACHED)
     @dict.contents = @pkcs7.to_der
     @dict.signed_data = @data
-    @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+    @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
   end
 
   it "returns the signer name" do
-    assert_equal("signer", @handler.signer_name)
+    assert_equal("RSA signer", @handler.signer_name)
   end
 
   it "returns the signing time" do
@@ -60,7 +60,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
       @pkcs7.add_signer(OpenSSL::PKCS7::SignerInfo.new(CERTIFICATES.signer_certificate,
                                                        CERTIFICATES.signer_key, 'SHA1'))
       @dict.contents = @pkcs7.to_der
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
       result = @handler.verify(@store)
       assert_equal(2, result.messages.size)
       assert_equal(:error, result.messages.first.type)
@@ -80,7 +80,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
                                    @data, [CERTIFICATES.ca_certificate],
                                    OpenSSL::PKCS7::DETACHED)
       @dict.contents = @pkcs7.to_der
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
       result = @handler.verify(@store)
       assert_equal(:error, result.messages.first.type)
       assert_match(/key usage is missing 'Digital Signature'/, result.messages.first.content)
@@ -110,7 +110,7 @@ describe HexaPDF::Type::Signature::AdbePkcs7Detached do
       res = fac.create_timestamp(CERTIFICATES.signer_key, CERTIFICATES.timestamp_certificate, req)
       @dict.contents = res.token.to_der
       @dict.signature_type = 'ETSI.RFC3161'
-      @handler = HexaPDF::Type::Signature::AdbePkcs7Detached.new(@dict)
+      @handler = HexaPDF::DigitalSignature::CMSHandler.new(@dict)
 
       result = @handler.verify(@store)
       assert_equal(:info, result.messages.last.type)

data/test/hexapdf/{type/signature → digital_signature}/test_handler.rb

@@ -1,17 +1,17 @@
 # -*- encoding: utf-8 -*-
 
 require 'test_helper'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'hexapdf/document'
 require 'time'
 require 'ostruct'
 
-describe HexaPDF::Type::Signature::Handler do
+describe HexaPDF::DigitalSignature::Handler do
   before do
     @time = Time.parse("2021-11-14 7:00")
     @dict = {Name: "handler", M: @time}
-    @handler = HexaPDF::Type::Signature::Handler.new(@dict)
-    @result = HexaPDF::Type::Signature::VerificationResult.new
+    @handler = HexaPDF::DigitalSignature::Handler.new(@dict)
+    @result = HexaPDF::DigitalSignature::VerificationResult.new
   end
 
   it "returns the signer name" do

data/test/hexapdf/{type/signature/test_adbe_x509_rsa_sha1.rb → digital_signature/test_pkcs1_handler.rb}

@@ -2,10 +2,10 @@
 
 require 'test_helper'
 require_relative 'common'
-require 'hexapdf/type/signature'
+require 'hexapdf/digital_signature'
 require 'ostruct'
 
-describe HexaPDF::Type::Signature::AdbeX509RsaSha1 do
+describe HexaPDF::DigitalSignature::PKCS1Handler do
   before do
     @data = 'Some data'
     @dict = OpenStruct.new
@@ -14,7 +14,7 @@ describe HexaPDF::Type::Signature::AdbeX509RsaSha1 do
     @dict.contents = OpenSSL::ASN1::OctetString.new(encoded_data).to_der
     @dict.Cert = [CERTIFICATES.signer_certificate.to_der]
     def @dict.key?(*); true; end
-    @handler = HexaPDF::Type::Signature::AdbeX509RsaSha1.new(@dict)
+    @handler = HexaPDF::DigitalSignature::PKCS1Handler.new(@dict)
   end
 
   it "returns the certificate chain" do

data/test/hexapdf/{type → digital_signature}/test_signature.rb

@@ -2,11 +2,11 @@
 
 require 'test_helper'
 require 'hexapdf/document'
-require 'hexapdf/type/signature'
-require_relative 'signature/common'
+require 'hexapdf/digital_signature'
+require_relative 'common'
 require 'stringio'
 
-describe HexaPDF::Type::Signature::TransformParams do
+describe HexaPDF::DigitalSignature::Signature::TransformParams do
   before do
     @doc = HexaPDF::Document.new
     @params = @doc.add({Type: :TransformParams})
@@ -36,7 +36,7 @@ describe HexaPDF::Type::Signature::TransformParams do
   end
 end
 
-describe HexaPDF::Type::Signature::SignatureReference do
+describe HexaPDF::DigitalSignature::Signature::SignatureReference do
   before do
     @doc = HexaPDF::Document.new
     @sigref = @doc.add({Type: :SigRef})
@@ -52,7 +52,7 @@ describe HexaPDF::Type::Signature::SignatureReference do
   end
 end
 
-describe HexaPDF::Type::Signature do
+describe HexaPDF::DigitalSignature::Signature do
   before do
     @doc = HexaPDF::Document.new
     @sig = @doc.add({Type: :Sig, Filter: :'Adobe.PPKLite', SubFilter: :'ETSI.CAdES.detached'})
@@ -65,7 +65,7 @@ describe HexaPDF::Type::Signature do
   end
 
   it "returns the signer name" do
-    assert_equal('signer', @sig.signer_name)
+    assert_equal('RSA signer', @sig.signer_name)
   end
 
   it "returns the signing time" do
@@ -88,7 +88,7 @@ describe HexaPDF::Type::Signature do
 
   describe "signature_handler" do
     it "returns the signature handler" do
-      assert_kind_of(HexaPDF::Type::Signature::Handler, @sig.signature_handler)
+      assert_kind_of(HexaPDF::DigitalSignature::Handler, @sig.signature_handler)
     end
 
     it "fails if the required handler is not available" do

data/test/hexapdf/digital_signature/test_signatures.rb

@@ -0,0 +1,137 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'stringio'
+require 'tempfile'
+require 'hexapdf/document'
+require_relative 'common'
+
+describe HexaPDF::DigitalSignature::Signatures do
+  before do
+    @doc = HexaPDF::Document.new
+    @form = @doc.acro_form(create: true)
+    @sig1 = @form.create_signature_field("test1")
+    @sig2 = @form.create_signature_field("test2")
+  end
+
+  it "iterates over all signature dictionaries" do
+    assert_equal([], @doc.signatures.to_a)
+    @sig1.field_value = :sig1
+    @sig2.field_value = :sig2
+    assert_equal([:sig1, :sig2], @doc.signatures.to_a)
+  end
+
+  it "returns the number of signature dictionaries" do
+    @sig1.field_value = :sig1
+    assert_equal(1, @doc.signatures.count)
+  end
+
+  describe "signing_handler" do
+    it "return the initialized handler" do
+      handler = @doc.signatures.signing_handler(certificate: 'cert', reason: 'reason')
+      assert_equal('cert', handler.certificate)
+      assert_equal('reason', handler.reason)
+    end
+
+    it "fails if the given task is not available" do
+      assert_raises(HexaPDF::Error) { @doc.signatures.signing_handler(name: :unknown) }
+    end
+  end
+
+  describe "add" do
+    before do
+      @doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+      @io = StringIO.new(''.b)
+      @handler = @doc.signatures.signing_handler(
+        certificate: CERTIFICATES.signer_certificate,
+        key: CERTIFICATES.signer_key,
+        certificate_chain: [CERTIFICATES.ca_certificate]
+      )
+    end
+
+    it "uses the provided signature dictionary" do
+      sig = @doc.add({Type: :Sig, Key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      assert_equal(:value, @doc.signatures.to_a[0][:Key])
+      refute_equal(:value, @doc.acro_form.each_field.first[:Key])
+    end
+
+    it "creates the signature dictionary if none is provided" do
+      @doc.signatures.add(@io, @handler)
+      assert_equal(1, @doc.signatures.to_a.compact.size)
+      refute(@doc.acro_form.each_field.first.key?(:Contents))
+    end
+
+    it "sets the needed information on the signature dictionary" do
+      def @handler.finalize_objects(sigfield, sig)
+        sig[:key] = :sig
+        sigfield[:key] = :sig_field
+      end
+      @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      sig = @doc.signatures.first
+      assert_equal([0, 925, 925 + sig[:Contents].size * 2 + 2, 2501], sig[:ByteRange].value)
+      assert_equal(:sig, sig[:key])
+      assert_equal(:sig_field, @doc.acro_form.each_field.first[:key])
+      assert(sig.key?(:Contents))
+    end
+
+    it "creates the main form dictionary if necessary" do
+      @doc.signatures.add(@io, @handler)
+      assert(@doc.acro_form)
+      assert_equal([:signatures_exist, :append_only], @doc.acro_form.signature_flags)
+    end
+
+    it "uses the provided signature field" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      @doc.signatures.add(@io, @handler, signature: field)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      refute_nil(field.field_value)
+      assert_nil(@doc.signatures.first[:T])
+    end
+
+    it "uses an existing signature field if possible" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      field.field_value = sig = @doc.add({Type: :Sig, key: :value})
+      @doc.signatures.add(@io, @handler, signature: sig)
+      assert_nil(@doc.acro_form.field_by_name("Signature3"))
+      assert_same(sig, @doc.signatures.first)
+    end
+
+    it "creates the signature field if necessary" do
+      @doc.acro_form(create: true).create_text_field('Signature2')
+      @doc.signatures.add(@io, @handler)
+      field = @doc.acro_form.field_by_name("Signature3")
+      assert_equal(:Sig, field.field_type)
+      refute_nil(field.field_value)
+      assert_equal(1, field.each_widget.count)
+    end
+
+    it "handles different xref section types correctly when determing the offsets" do
+      @doc.delete(7)
+      sig = @doc.signatures.add(@io, @handler, write_options: {update_fields: false})
+      assert_equal([0, 1036, 1036 + sig[:Contents].size * 2 + 2, 2483], sig[:ByteRange].value)
+    end
+
+    it "works if the signature object is the last object of the xref section" do
+      field = @doc.acro_form(create: true).create_signature_field('Signature2')
+      field.create_widget(@doc.pages[0], Rect: [0, 0, 0, 0])
+      sig = @doc.signatures.add(@io, @handler, signature: field, write_options: {update_fields: false})
+      assert_equal([0, 3143, 3143 + sig[:Contents].size * 2 + 2, 380], sig[:ByteRange].value)
+    end
+
+    it "allows writing to a file in addition to writing to an IO" do
+      tempfile = Tempfile.new('hexapdf-signature')
+      tempfile.close
+      @doc.signatures.add(tempfile.path, @handler)
+      doc = HexaPDF::Document.open(tempfile.path)
+      assert(doc.signatures.first.verify(allow_self_signed: true).success?)
+    end
+
+    it "adds a new revision with the signature" do
+      @doc.signatures.add(@io, @handler)
+      signed_doc = HexaPDF::Document.new(io: @io)
+      assert(signed_doc.signatures.first.verify)
+    end
+  end
+end

data/test/hexapdf/digital_signature/test_signing.rb

@@ -0,0 +1,53 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/document'
+require 'hexapdf/digital_signature'
+require_relative 'common'
+
+describe HexaPDF::DigitalSignature::Signing do
+  before do
+    @handler = HexaPDF::DigitalSignature::Signing::DefaultHandler.new(
+      certificate: CERTIFICATES.signer_certificate,
+      key: CERTIFICATES.signer_key,
+      certificate_chain: [CERTIFICATES.ca_certificate]
+    )
+  end
+
+  it "allows embedding an external signature value" do
+    # Create first signature normally for testing the signature-finding code later
+    doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+    io = StringIO.new(''.b)
+    doc.signatures.add(io, @handler)
+    doc = HexaPDF::Document.new(io: io)
+    io = StringIO.new(''.b)
+
+    byte_range = nil
+    @handler.signature_size = 5000
+    @handler.certificate = nil
+    @handler.external_signing = proc {|_, br| byte_range = br; "" }
+    doc.signatures.add(io, @handler)
+
+    io.pos = byte_range[0]
+    data = io.read(byte_range[1])
+    io.pos = byte_range[2]
+    data << io.read(byte_range[3])
+    contents = OpenSSL::PKCS7.sign(CERTIFICATES.signer_certificate, @handler.key, data,
+                                   @handler.certificate_chain,
+                                   OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY).to_der
+    HexaPDF::DigitalSignature::Signing.embed_signature(io, contents)
+    doc = HexaPDF::Document.new(io: io)
+    assert_equal(2, doc.signatures.each.count)
+    doc.signatures.each do |signature|
+      assert(signature.verify(allow_self_signed: true).messages.find {|m| m.content == 'Signature valid' })
+    end
+  end
+
+  it "fails if the reserved signature space is too small" do
+    doc = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+    io = StringIO.new(''.b)
+    def @handler.signature_size; 200; end
+    msg = assert_raises(HexaPDF::Error) { doc.signatures.add(io, @handler) }
+    assert_match(/space.*too small.*200 vs/, msg.message)
+  end
+end