hexapdf 0.28.0 → 0.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 874e09b094ea4e793d1d123cfbaded6d1cc5ba93af3b57587e9faf402786a30f
-  data.tar.gz: c1eed6a778936cd360b4f1878a18abc3e5727c1f36b5eab4838a9a72817dff7b
+  metadata.gz: 7a32d8f7558ea14ae5dc40849c690b79f5ed4a797cffb85253e7fd6d00c54736
+  data.tar.gz: 92713168ee64efc59f86ff1d4f8989054ab02653ccaf84795aed3fea02a4811d
 SHA512:
-  metadata.gz: b66a7587a239acbeb9ebbb20f851b2fa7738c5a4c2f8a95ae7ae3d7419b84ae37b5d1fb48a6b7023bff0df3e1728c395b5351c9c42c05707fabd5a1722e2b88a
-  data.tar.gz: 62ac7d070bb8ae3426685af497a047096dd32dc16a102baa961512652222b388198561776fc1227be69bdd0713183d91fa25e411262eec34a29227aae9723d5c
+  metadata.gz: 43b05643d9a59e9656a464eda221fa28e04bb4fe8ba1f97d0e31e434fbce64ffb9ed551689ce68957c8b4a7b82fbc85ecd91c1eac6d177b0109d4b9b5d275a6c
+  data.tar.gz: 780e7051327b0463e800ca4ea3b9f1ac1c3723d960154a2ac27c9e9bed867d0a257c48c20762cd0947f8638dc1f72b598a33ff76e1f0d1d2b0f1ff843497eb29

data/CHANGELOG.md

@@ -1,3 +1,79 @@
+## 0.31.0 - 2023-02-22
+
+### Added
+
+* [HexaPDF::Layout::PageStyle] for collecting all styling information for pages
+* [HexaPDF::Composer#page_style] for configuring different page styles
+
+### Changed
+
+* **Breaking change**: [HexaPDF::Composer] uses page styles underneath
+* **Breaking change**: Configuration options `filter.flate_compression` and
+  `filter.flate_memory` are changed to `filter.flate.compression` and
+  `filter.flate.memory`
+* **Breaking change**: [HexaPDF::Document#wrap] handles cross-reference and
+  object stream specially to avoid problems with invalid PDFs
+* [HexaPDF::Composer::new] to allow skipping the initial page creation
+* CLI command `hexapdf info --check` to process streams to reveal stream errors
+* CLI commands to output the name of created PDF files in verbose mode
+
+### Fixed
+
+* Validation of document outline items in case the first or last item got
+  deleted
+* `HexaPDF::Type::Page#perform_validation` to set a /MediaBox for invalid pages
+  that don't have one
+
+
+## 0.30.0 - 2023-02-13
+
+### Added
+
+* [HexaPDF::Document::Pages#create] for creating a page object without adding it
+  to the page tree
+
+### Changed
+
+* `HexaPDF::Type::FontSimple#perform_validation` to correct /Widths fields in
+  case it has an invalid number of entries
+
+### Fixed
+
+* [HexaPDF::DictionaryFields::DateConverter] to handle invalid months, day,
+  hour, minute and second values
+
+
+## 0.29.0 - 2023-01-30
+
+### Added
+
+* [HexaPDF::DigitalSignature::Signing::SignedDataCreator] for creating custom
+  CMS signed data objects
+
+### Changed
+
+* **Breaking change**: Refactored digital signature support and moved all
+  related code under the [HexaPDF::DigitalSignature] module
+* **Breaking change**: New external signing mode without the need for creating
+  the PKCS#7/CMS signed data object for
+  [HexaPDF::DigitalSignature::Signing::DefaultHandler]
+* **Breaking change**: Use value :pades instead of :etsi for
+  [HexaPDF::DigitalSignature::Signing::DefaultHandler#signature_type]
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow creating PAdES
+  level B-B and B-T signatures
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow specifying the
+  used digest algorithm
+* [HexaPDF::DigitalSignature::Signing::DefaultHandler] to allow specifying a
+  timestamp handler for including a timestamp token in the signature
+* Moved setting of signature entries /Filter, /SubFilter and /M fields to the
+  signing handlers
+
+### Fixed
+
+* [HexaPDF::DictionaryFields::DateConverter] to handle invalid timezone hour and
+  minute values
+
+
 ## 0.28.0 - 2022-12-30
 
 ### Added
@@ -61,30 +137,30 @@
 ### Added
 
 * Support for timestamp signatures through the
-  [HexaPDF::Document::Signatures::TimestampHandler]
+  `HexaPDF::Document::Signatures::TimestampHandler`
 * [HexaPDF::Document::Destinations#resolve] for resolving destination values
 * [HexaPDF::Document::Destinations::Destination#value] to return the destination
   array
 * Support for verifying document timestamp signatures
-* [HexaPDF::Document::Signatures::DefaultHandler#signature_size] to support
+* `HexaPDF::Document::Signatures::DefaultHandler#signature_size` to support
   setting custom signature sizes
-* [HexaPDF::Document::Signatures::DefaultHandler#external_signing] to support
+* `HexaPDF::Document::Signatures::DefaultHandler#external_signing` to support
   signing via custom mechanisms
-* [HexaPDF::Document::Signatures::embed_signature] to enable asynchronous
+* `HexaPDF::Document::Signatures::embed_signature` to enable asynchronous
   external signing
 
 ### Changed
 
 * **Breaking change**: The crop box is now used instead of the media box in most
   cases to be in line with the specification
-* [HexaPDF::Document::Signatures::DefaultHandler] to allow setting the used
+* `HexaPDF::Document::Signatures::DefaultHandler` to allow setting the used
   signature method
-* **Breaking change**: [HexaPDF::Document::Signatures::DefaultHandler#sign]
+* **Breaking change**: `HexaPDF::Document::Signatures::DefaultHandler#sign`
   needs to accept the IO object and the byte range instead of just the data
 * **Breaking change**: Enhanced support for outline items with new methods
   `#level` and `#destination_page` as well as changes to `#add` and `#each_item`
 * **Breaking change**: Removed `#filter_name` and `#sub_filter_name` from
-  [HexaPDF::Document::Signatures::DefaultHandler]
+  `HexaPDF::Document::Signatures::DefaultHandler`
 * `HexaPDF::Type::Resources#perform_validation` to not add a default procedure
   set since this feature is deprecated
 
@@ -101,7 +177,7 @@
 * [HexaPDF::Type::OutlineItem] to always be an indirect object
 * `HexaPDF::Tokenizer#parse_number` to handle references correctly in all cases
 * [HexaPDF::Type::Page#rotate] to correctly flatten all page boxes
-* [HexaPDF::Document::Signatures#add] to raise an error if the reserved space
+* `HexaPDF::Document::Signatures#add` to raise an error if the reserved space
   for the signature is not enough
 * `HexaPDF::Type::AcroForm::Form#perform_validation` to fix broken /Parent
   entries and to remove invalid objects from the field hierarchy
@@ -276,7 +352,7 @@
   moved node doesn't change
 * [HexaPDF::Type::PageTreeNode#move_page] to use the correct target position
   when the moved node is before the target position
-* [HexaPDF::Document::Signatures#add] to work in case the signature object is
+* `HexaPDF::Document::Signatures#add` to work in case the signature object is
   the last object written
 * CLI command `hexapdf inspect` to show correct byte range of the last revision
 * [HexaPDF::Writer#write_incremental] to only use a cross-reference stream if a
@@ -285,7 +361,7 @@
   disabled
 * [HexaPDF::Font::Encoding::GlyphList] to use binary reading to avoid problems
   on Windows
-* [HexaPDF::Document::Signatures#add] to use binary writing to avoid problems on
+* `HexaPDF::Document::Signatures#add` to use binary writing to avoid problems on
   Windows
 
 

data/examples/024-digital-signatures.rb

@@ -0,0 +1,23 @@
+# # Images
+#
+# This example shows how to embed images into a PDF document, directly on a
+# page's canvas and through the high-level [HexaPDF::Composer].
+#
+# Usage:
+# : `ruby digital-signatures.rb`
+#
+
+require 'hexapdf'
+require HexaPDF.data_dir + '/cert/demo_cert.rb'
+
+doc = if ARGV[0]
+        HexaPDF::Document.open(ARGV[0])
+      else
+        HexaPDF::Document.new.pages.add.document
+      end
+doc.sign("digital-signatures.pdf",
+         reason: 'Some reason',
+         certificate: HexaPDF.demo_cert.cert,
+         key: HexaPDF.demo_cert.key,
+         certificate_chain: [HexaPDF.demo_cert.sub_ca,
+                             HexaPDF.demo_cert.root_ca])

data/lib/hexapdf/cli/command.rb

@@ -101,6 +101,17 @@ module HexaPDF
       def pdf_options(password)
         hash = {decryption_opts: {password: password}, config: {}}
         HexaPDF::GlobalConfiguration['filter.predictor.strict'] = command_parser.strict
+        HexaPDF::GlobalConfiguration['filter.flate.on_error'] =
+          if command_parser.strict
+            proc { true }
+          else
+            proc do |_, error|
+              if command_parser.verbosity_info?
+                $stderr.puts "Ignoring error in flate encoded stream: #{error}"
+              end
+              false
+            end
+          end
         hash[:config]['parser.try_xref_reconstruction'] = !command_parser.strict
         hash[:config]['parser.on_correctable_error'] =
           if command_parser.strict
@@ -120,6 +131,7 @@ module HexaPDF
       # Writes the document to the given file or does nothing if +out_file+ is +nil+.
       def write_document(doc, out_file, incremental: false)
         if out_file
+          doc.trailer.update_id
           doc.validate(auto_correct: true) do |msg, correctable, object|
             if command_parser.strict && !correctable
               raise "Validation error for object (#{object.oid},#{object.gen}): #{msg}"
@@ -128,6 +140,9 @@ module HexaPDF
                 "for object (#{object.oid},#{object.gen}): #{msg}"
             end
           end
+          if command_parser.verbosity_info?
+            puts "Creating output document #{out_file}"
+          end
           doc.write(out_file, validate: false, incremental: incremental)
         end
       end
@@ -331,7 +346,7 @@ module HexaPDF
             rotation = ROTATE_MAP[$4]
             start_nr.step(to: end_nr, by: step) {|n| arr << [n, rotation] }
           else
-            raise OptionParser::InvalidArgument, "invalid page range format: #{str}"
+            raise OptionParser::InvalidArgument, "invalid page range format: #{str.inspect}"
           end
         end
       end

data/lib/hexapdf/cli/info.rb

@@ -106,6 +106,13 @@ module HexaPDF
             doc.each(only_loaded: false) do |obj|
               indirect_object = obj
               obj.validate(auto_correct: true, &validation_block)
+              if obj.data.stream
+                begin
+                  obj.stream
+                rescue StandardError
+                  puts "ERROR: Stream of object (#{obj.oid},#{obj.gen}) invalid: #{$!.message}"
+                end
+              end
             end
           end
 
@@ -177,7 +184,8 @@ module HexaPDF
       def pdf_options(password)
         if @check_file
           options = {decryption_opts: {password: password}, config: {}}
-          HexaPDF::GlobalConfiguration['filter.predictor.strict'] = false
+          HexaPDF::GlobalConfiguration['filter.predictor.strict'] = true
+          HexaPDF::GlobalConfiguration['filter.flate.on_error'] = proc { true }
           options[:config]['parser.try_xref_reconstruction'] = true
           options[:config]['parser.on_correctable_error'] = lambda do |_, msg, pos|
             puts "WARNING: Parse error at position #{pos}: #{msg}"

data/lib/hexapdf/cli/inspect.rb

@@ -166,8 +166,8 @@ module HexaPDF
           when 'p', 'pages'
             begin
               pages = parse_pages_specification(data.shift || '1-e', @doc.pages.count)
-            rescue StandardError
-              $stderr.puts("Error: Invalid page range argument")
+            rescue StandardError => e
+              $stderr.puts("Error: #{e}")
               next
             end
             page_list = @doc.pages.to_a

data/lib/hexapdf/composer.rb

@@ -106,6 +106,14 @@ module HexaPDF
 
     # Creates a new Composer object and optionally yields it to the given block.
     #
+    # skip_page_creation::
+    #     If this argument is +true+ (the default), the arguments +page_size+, +page_orientation+
+    #     and +margin+ are used to create a page style with the name :default and an initial page is
+    #     created as well.
+    #
+    #     Otherwise, i.e. when this argument is +false+, no initial page or default page style is
+    #     created. This has to be done manually using the #page_style and #new_page methods.
+    #
     # page_size::
     #     Can be any valid predefined page size (see Type::Page::PAPER_SIZE) or an array [llx, lly,
     #     urx, ury] specifying a custom page size.
@@ -120,36 +128,53 @@ module HexaPDF
     # Example:
     #
     #   composer = HexaPDF::Composer.new            # uses the default values
+    #
     #   HexaPDF::Composer.new(page_size: :Letter, margin: 72) do |composer|
     #     #...
     #   end
-    def initialize(page_size: :A4, page_orientation: :portrait, margin: 36) #:yields: composer
+    #
+    #   HexaPDF::Composer.new(skip_page_creation: true) do |composer|
+    #     page_template = lambda {|canvas, style| style.create_frame(canvas.context, 36) }
+    #     page_style(:default, template: page_template)
+    #     new_page
+    #     # ...
+    #   end
+    def initialize(skip_page_creation: false, page_size: :A4, page_orientation: :portrait,
+                   margin: 36) #:yields: composer
       @document = HexaPDF::Document.new
-      @page_size = page_size
-      @page_orientation = page_orientation
-      @margin = Layout::Style::Quad.new(margin)
-
-      new_page
+      @page_styles = {}
+      @page_style = :default
+      unless skip_page_creation
+        page_style(:default, page_size: page_size, orientation: page_orientation) do |canvas, style|
+          style.frame = style.create_frame(canvas.context, margin)
+        end
+        new_page
+      end
       yield(self) if block_given?
     end
 
     # Creates a new page, making it the current one.
     #
-    # If any of +page_size+, +page_orientation+ or +margin+ are set, they will be used instead of
-    # the default values and will become the default values.
+    # The page style to use for the new page can be set via the +style+ argument. If not provided,
+    # the currently set page style is used.
+    #
+    # The used page style determines the page style that should be used for the following new pages.
+    # If this information is not provided, the used page style is used again.
     #
     # Examples:
     #
-    #   composer.new_page  # uses the default values
-    #   composer.new_page(page_size: :A5, margin: [72, 36])
-    def new_page(page_size: nil, page_orientation: nil, margin: nil)
-      @page_size = page_size if page_size
-      @page_orientation = page_orientation if page_orientation
-      @margin = Layout::Style::Quad.new(margin) if margin
-
-      @page = @document.pages.add(@page_size, orientation: @page_orientation)
+    #   composer.page_style(:cover, page_size: :A4).next_style = :content
+    #   composer.page_style(:content, page_size: :A4)
+    #   composer.new_page(:cover)           # uses the :cover style, set next style to :content
+    #   composer.new_page                   # uses the :content style, next style again :content
+    def new_page(style = @page_style)
+      page_style = @page_styles.fetch(style) do |key|
+        raise ArgumentError, "Page style #{key} has not been defined"
+      end
+      @page = @document.pages.add(page_style.create_page(@document))
       @canvas = @page.canvas
-      create_frame
+      @frame = page_style.frame
+      @page_style = page_style.next_style || style
     end
 
     # The x-position of the cursor inside the current frame.
@@ -190,6 +215,40 @@ module HexaPDF
       @document.layout.style(name, base: base, **properties)
     end
 
+    # :call-seq:
+    #    composer.page_style(name)                                 -> page_style
+    #    composer.page_style(name, **attributes, &template_block)  -> page_style
+    #
+    # Creates and/or returns the page style +name+.
+    #
+    # If no attributes are given, the page style +name+ is returned. In case it does not exist,
+    # +nil+ is returned.
+    #
+    # If one or more page style attributes are given, a new HexaPDF::Layout::PageStyle object with
+    # those attribute values is created, stored under +name+ and returned. If a block is provided,
+    # it is used to define the page template.
+    #
+    # Example:
+    #
+    #   composer.page_style(:default)
+    #   composer.page_style(:cover, page_size: :A4) do |canvas, style|
+    #     page_box = canvas.context.box
+    #     canvas.fill_color("fd0") do
+    #       canvas.rectangle(0, 0, page_box.width, page_box.height).
+    #         fill
+    #     end
+    #     style.frame = style.create_frame(canvas.context, 36)
+    #   end
+    #
+    # See: HexaPDF::Layout::PageStyle
+    def page_style(name, **attributes, &block)
+      if attributes.empty?
+        @page_styles[name]
+      else
+        @page_styles[name] = HexaPDF::Layout::PageStyle.new(**attributes, &block)
+      end
+    end
+
     # Draws the given text at the current position into the current frame.
     #
     # The text will be positioned at the current position if possible. Otherwise the next best
@@ -325,17 +384,6 @@ module HexaPDF
       stamp
     end
 
-    private
-
-    # Creates the frame into which boxes are layed out when a new page is created.
-    def create_frame
-      media_box = @page.box
-      @frame = Layout::Frame.new(media_box.left + @margin.left,
-                                 media_box.bottom + @margin.bottom,
-                                 media_box.width - @margin.left - @margin.right,
-                                 media_box.height - @margin.bottom - @margin.top)
-    end
-
   end
 
 end

data/lib/hexapdf/configuration.rb

@@ -350,6 +350,9 @@ module HexaPDF
   #    The media box that is used for new pages that don't define a media box. Default value is
   #    A4. See HexaPDF::Type::Page::PAPER_SIZE for a list of predefined paper sizes.
   #
+  #    This configuration option (together with 'page.default_media_orientation') is also used when
+  #    validating pages and a page without a media box is found.
+  #
   #    The value can either be a rectangle defining the paper size or a Symbol referencing one of
   #    the predefined paper sizes.
   #
@@ -393,8 +396,8 @@ module HexaPDF
   #
   # signature.sub_filter_map::
   #    A mapping from a PDF name (a Symbol) to a signature handler class (see
-  #    HexaPDF::Type::Signature::Handler). If the value is a String, it should contain the name of a
-  #    constant to such a class.
+  #    HexaPDF::DigitalSignature::Handler). If the value is a String, it should contain the name of
+  #    a constant to such a class.
   #
   #    The sub filter map is used for mapping specific signature algorithms to handler classes. The
   #    filter value of a signature dictionary is ignored since we only support the standard
@@ -486,14 +489,14 @@ module HexaPDF
                         link: 'HexaPDF::Layout::Style::LinkLayer',
                       },
                       'signature.signing_handler' => {
-                        default: 'HexaPDF::Document::Signatures::DefaultHandler',
-                        timestamp: 'HexaPDF::Document::Signatures::TimestampHandler',
+                        default: 'HexaPDF::DigitalSignature::Signing::DefaultHandler',
+                        timestamp: 'HexaPDF::DigitalSignature::Signing::TimestampHandler',
                       },
                       'signature.sub_filter_map' => {
-                        'adbe.x509.rsa_sha1': 'HexaPDF::Type::Signature::AdbeX509RsaSha1',
-                        'adbe.pkcs7.detached': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
-                        'ETSI.CAdES.detached': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
-                        'ETSI.RFC3161': 'HexaPDF::Type::Signature::AdbePkcs7Detached',
+                        'adbe.x509.rsa_sha1': 'HexaPDF::DigitalSignature::PKCS1Handler',
+                        'adbe.pkcs7.detached': 'HexaPDF::DigitalSignature::CMSHandler',
+                        'ETSI.CAdES.detached': 'HexaPDF::DigitalSignature::CMSHandler',
+                        'ETSI.RFC3161': 'HexaPDF::DigitalSignature::CMSHandler',
                       },
                       'task.map' => {
                         optimize: 'HexaPDF::Task::Optimize',
@@ -511,11 +514,20 @@ module HexaPDF
   #
   #    See PDF1.7 s8.6
   #
-  # filter.flate_compression::
+  # filter.flate.compression::
   #    Specifies the compression level that should be used with the FlateDecode filter. The level
   #    can range from 0 (no compression), 1 (best speed) to 9 (best compression, default).
   #
-  # filter.flate_memory::
+  # filter.flate.on_error::
+  #    Callback hook when a potentially recoverable Zlib error occurs in the FlateDecode filter.
+  #
+  #    The value needs to be an object that responds to \#call(stream, error) where stream is the
+  #    Zlib stream object and error is the thrown error. The method needs to return +true+ if an
+  #    error should be raised.
+  #
+  #    The default implementation prevents errors from being raised.
+  #
+  # filter.flate.memory::
   #    Specifies the memory level that should be used with the FlateDecode filter. The level can
   #    range from 1 (minimum memory usage; slow, reduces compression) to 9 (maximum memory usage).
   #
@@ -543,8 +555,9 @@ module HexaPDF
   #    This mapping is used to provide automatic wrapping of objects in the HexaPDF::Document#wrap
   #    method.
   GlobalConfiguration =
-    Configuration.new('filter.flate_compression' => 9,
-                      'filter.flate_memory' => 6,
+    Configuration.new('filter.flate.compression' => 9,
+                      'filter.flate.on_error' => proc { false },
+                      'filter.flate.memory' => 6,
                       'filter.predictor.strict' => false,
                       'color_space.map' => {
                         DeviceRGB: 'HexaPDF::Content::ColorSpace::DeviceRGB',
@@ -583,10 +596,10 @@ module HexaPDF
                         SigFieldLock: 'HexaPDF::Type::AcroForm::SignatureField::LockDictionary',
                         SV: 'HexaPDF::Type::AcroForm::SignatureField::SeedValueDictionary',
                         SVCert: 'HexaPDF::Type::AcroForm::SignatureField::CertificateSeedValueDictionary',
-                        Sig: 'HexaPDF::Type::Signature',
-                        DocTimeStamp: 'HexaPDF::Type::Signature',
-                        SigRef: 'HexaPDF::Type::Signature::SignatureReference',
-                        TransformParams: 'HexaPDF::Type::Signature::TransformParams',
+                        Sig: 'HexaPDF::DigitalSignature::Signature',
+                        DocTimeStamp: 'HexaPDF::DigitalSignature::Signature',
+                        SigRef: 'HexaPDF::DigitalSignature::Signature::SignatureReference',
+                        TransformParams: 'HexaPDF::DigitalSignature::Signature::TransformParams',
                         Outlines: 'HexaPDF::Type::Outline',
                         XXOutlineItem: 'HexaPDF::Type::OutlineItem',
                         PageLabel: 'HexaPDF::Type::PageLabel',

data/lib/hexapdf/dictionary_fields.rb

@@ -293,16 +293,25 @@ module HexaPDF
       end
 
       # :nodoc:
-      DATE_RE = /\AD:(\d{4})(\d\d)?(\d\d)?(\d\d)?(\d\d)?(\d\d)?([Z+-])?(?:(\d\d)(?:'|'([0-5]\d)'?|\z)?)?\z/n
+      DATE_RE = /\AD:(\d{4})(\d\d)?(\d\d)?(\d\d)?(\d\d)?(\d\d)?([Z+-])?(?:(\d+)(?:'|'(\d+)'?|\z)?)?\z/n
 
       # Checks if the given object is a string and converts into a Time object if possible.
       # Otherwise returns +nil+.
       def self.convert(str, _type, _document)
         return unless str.kind_of?(String) && (m = str.match(DATE_RE))
 
-        utc_offset = (m[7].nil? || m[7] == 'Z' ? 0 : "#{m[7]}#{m[8]}:#{m[9] || '00'}")
-        Time.new(m[1].to_i, (m[2] ? m[2].to_i : 1), (m[3] ? m[3].to_i : 1),
-                 m[4].to_i, m[5].to_i, m[6].to_i, utc_offset)
+        utc_offset = if m[7].nil? || m[7] == 'Z'
+                       0
+                     else
+                       (m[7] == '-' ? -1 : 1) * (m[8].to_i * 3600 + m[9].to_i * 60).clamp(0, 86399)
+                     end
+        begin
+          Time.new(m[1].to_i, (m[2] ? m[2].to_i : 1), (m[3] ? m[3].to_i : 1),
+                   m[4].to_i, m[5].to_i, m[6].to_i, utc_offset)
+        rescue ArgumentError
+          Time.new(m[1].to_i, m[2].to_i.clamp(1, 12), m[3].to_i.clamp(1, 31),
+                   m[4].to_i.clamp(0, 23), m[5].to_i.clamp(0, 59), m[6].to_i.clamp(0, 59), utc_offset)
+        end
       end
 
     end

data/lib/hexapdf/digital_signature/cms_handler.rb

@@ -0,0 +1,137 @@
+# -*- encoding: utf-8; frozen_string_literal: true -*-
+#
+#--
+# This file is part of HexaPDF.
+#
+# HexaPDF - A Versatile PDF Creation and Manipulation Library For Ruby
+# Copyright (C) 2014-2022 Thomas Leitner
+#
+# HexaPDF is free software: you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License version 3 as
+# published by the Free Software Foundation with the addition of the
+# following permission added to Section 15 as permitted in Section 7(a):
+# FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+# THOMAS LEITNER, THOMAS LEITNER DISCLAIMS THE WARRANTY OF NON
+# INFRINGEMENT OF THIRD PARTY RIGHTS.
+#
+# HexaPDF is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
+# License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with HexaPDF. If not, see <http://www.gnu.org/licenses/>.
+#
+# The interactive user interfaces in modified source and object code
+# versions of HexaPDF must display Appropriate Legal Notices, as required
+# under Section 5 of the GNU Affero General Public License version 3.
+#
+# In accordance with Section 7(b) of the GNU Affero General Public
+# License, a covered work must retain the producer line in every PDF that
+# is created or manipulated using HexaPDF.
+#
+# If the GNU Affero General Public License doesn't fit your need,
+# commercial licenses are available at <https://gettalong.at/hexapdf/>.
+#++
+
+require 'openssl'
+require 'hexapdf/digital_signature/handler'
+
+module HexaPDF
+  module DigitalSignature
+
+    # The signature handler for PKCS#7 a.k.a. CMS signatures. Those include, for example, the
+    # adbe.pkcs7.detached sub-filter.
+    #
+    # See: PDF1.7/2.0 s12.8.3.3
+    class CMSHandler < Handler
+
+      # Creates a new signature handler for the given signature dictionary.
+      def initialize(signature_dict)
+        super
+        @pkcs7 = OpenSSL::PKCS7.new(signature_dict.contents)
+      end
+
+      # Returns the common name of the signer.
+      def signer_name
+        signer_certificate.subject.to_a.assoc("CN")&.[](1) || super
+      end
+
+      # Returns the time of signing.
+      def signing_time
+        signer_info.signed_time rescue super
+      end
+
+      # Returns the certificate chain.
+      def certificate_chain
+        @pkcs7.certificates
+      end
+
+      # Returns the signer certificate (an instance of OpenSSL::X509::Certificate).
+      def signer_certificate
+        info = signer_info
+        certificate_chain.find {|cert| cert.issuer == info.issuer && cert.serial == info.serial }
+      end
+
+      # Returns the signer information object (an instance of OpenSSL::PKCS7::SignerInfo).
+      def signer_info
+        @pkcs7.signers.first
+      end
+
+      # Verifies the signature using the provided OpenSSL::X509::Store object.
+      def verify(store, allow_self_signed: false)
+        result = super
+
+        signer_info = self.signer_info
+        signer_certificate = self.signer_certificate
+        certificate_chain = self.certificate_chain
+
+        if certificate_chain.empty?
+          result.log(:error, "No certificates found in signature")
+          return result
+        end
+
+        if @pkcs7.signers.size != 1
+          result.log(:error, "Exactly one signer needed, found #{@pkcs7.signers.size}")
+        end
+
+        unless signer_certificate
+          result.log(:error, "Signer serial=#{signer_info.serial} issuer=#{signer_info.issuer} " \
+                     "not found in certificates stored in PKCS7 object")
+          return result
+        end
+
+        key_usage = signer_certificate.extensions.find {|ext| ext.oid == 'keyUsage' }
+        unless key_usage && key_usage.value.split(', ').include?("Digital Signature")
+          result.log(:error, "Certificate key usage is missing 'Digital Signature'")
+        end
+
+        if signature_dict.signature_type == 'ETSI.RFC3161'
+          # Getting the needed values is not directly supported by Ruby OpenSSL
+          p7 = OpenSSL::ASN1.decode(signature_dict.contents.sub(/\x00*\z/, ''))
+          signed_data = p7.value[1].value[0]
+          content_info = signed_data.value[2]
+          content = OpenSSL::ASN1.decode(content_info.value[1].value[0].value)
+          digest_algorithm = content.value[2].value[0].value[0].value
+          original_hash = content.value[2].value[1].value
+          recomputed_hash = OpenSSL::Digest.digest(digest_algorithm, signature_dict.signed_data)
+          hash_valid = (original_hash == recomputed_hash)
+        else
+          data = signature_dict.signed_data
+          hash_valid = true # hash will be checked by @pkcs7.verify
+        end
+        if hash_valid && @pkcs7.verify(certificate_chain, store, data,
+                                       OpenSSL::PKCS7::DETACHED | OpenSSL::PKCS7::BINARY)
+          result.log(:info, "Signature valid")
+        else
+          result.log(:error, "Signature verification failed")
+        end
+
+        result
+      end
+
+    end
+
+  end
+end
+